CVE-2024-31118 MEDIUM

CVE-2024-31118: WordPress SP Project & Document Manager plugin <= 4.70 - Broken Access Control to XSS vulnerability

Vendor Smartypants
Product SP Project & Document Manager
Weakness CWE-862 · Missing authorization
Published February 17, 2026
Last update April 28, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

What the vulnerability does

01Description

Missing Authorization vulnerability in Smartypants SP Project & Document Manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SP Project & Document Manager: from n/a through 4.70.

Explanation of Vulnerability in Simple Terms

02Summary

SP Project & Document Manager versions up to 4.70 lack proper authorization checks, allowing authenticated users to access or modify documents and projects they should not have permission to view. The vulnerability requires user interaction and affects confidentiality, integrity, and availability. Site administrators should update to a version newer than 4.70 when available.

What an attacker can do

03Attacker Capabilities

Access or modify documents and projects belonging to other users or teams without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized data access, modification, or deletion across projects; potential data breach or loss of document integrity.

Conditions required to exploit

05Prerequisites

Attacker must have a valid user account and trick a victim into clicking a malicious link or visiting a crafted page.

Key dates

06Disclosure timeline

February 17, 2026 CVE published
April 28, 2026 Record updated