The SP Project & Document Manager plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 4.67. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for authenticated attackers with subscriber privileges or above, to change user passwords and potentially take over administrator accounts.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Sp_project_&_document_manager | Smartypantsplugins | * | 4.67 (including) |