Scan free
HIGHCVE-2024-37224CVSS 7.5

CVE-2024-37224: Directory Traversal in SP Project & Document Manager

Platform

wordpress

Component

sp-client-document-manager

Fixed in

4.71.1

AI Confidence: highNVDEPSS 1.5%Reviewed: May 2026
View on NVD
Save

CVE-2024-37224 describes a Directory Traversal vulnerability discovered in SP Project & Document Manager. This flaw allows attackers to potentially read sensitive files from the server by manipulating file paths. Versions of SP Project & Document Manager prior to 4.71 are affected. A patch is available in version 4.71.1.

WordPress

Detect this CVE in your project

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free

Impact and Attack Scenarios

The Directory Traversal vulnerability allows an attacker to bypass intended access restrictions and retrieve files from the server's file system. Successful exploitation could lead to the exposure of sensitive data such as configuration files, database credentials, or even source code. An attacker could leverage this to gain a deeper understanding of the application's architecture and identify further vulnerabilities. While the immediate impact is information disclosure, it could be a stepping stone for more severe attacks, such as code execution if sensitive files contain credentials or scripts.

Exploitation Context

CVE-2024-37224 was publicly disclosed on July 9, 2024. No public proof-of-concept exploits are currently known. The EPSS score is pending evaluation. Monitor security advisories and threat intelligence feeds for any indications of active exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh

EPSS

1.49% (81% percentile)

CISA SSVC

Exploitationnone
Automatableyes
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N7.5HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredNoneAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityNoneRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
None — unauthenticated. No login or credentials needed to exploit.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
None — no integrity impact. Attacker cannot modify data.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentsp-client-document-manager
Vendorsmartypants
Affected rangeFixed in
0.0.0 – 4.714.71.1

Weakness Classification (CWE)

CWE-22

Timeline

  1. Reserved
  2. Published
  3. Modified
  4. EPSS updated

Mitigation and Workarounds

The primary mitigation is to upgrade SP Project & Document Manager to version 4.71.1 or later, which contains the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to restrict access to sensitive files and directories. Specifically, block requests containing path traversal sequences like ../. Regularly review access logs for suspicious requests attempting to access files outside of the intended directory structure. Implement strict file permissions on the server to limit the impact of a successful attack.

How to fix

Actualice el plugin SP Project & Document Manager a la última versión disponible. La vulnerabilidad de path traversal permite el acceso a archivos no autorizados, por lo que es crucial actualizar para mitigar el riesgo. Consulte la página del plugin en WordPress.org para obtener la versión más reciente.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-37224 — Directory Traversal in SP Project & Document Manager?

CVE-2024-37224 is a vulnerability allowing attackers to read arbitrary files on a server running SP Project & Document Manager. It's rated HIGH severity due to the potential for sensitive data exposure.

Am I affected by CVE-2024-37224 in SP Project & Document Manager?

You are affected if you are using SP Project & Document Manager versions 4.71 and earlier. Upgrade to 4.71.1 to resolve the issue.

How do I fix CVE-2024-37224 in SP Project & Document Manager?

Upgrade to version 4.71.1 or later. As a temporary workaround, implement WAF rules to block path traversal attempts and monitor access logs.

Is CVE-2024-37224 being actively exploited?

As of July 2024, no active exploitation has been publicly confirmed, but it's crucial to apply the patch promptly.

Where can I find the official SP Project & Document Manager advisory for CVE-2024-37224?

Refer to the official SP Project & Document Manager website or their security advisory page for the latest information and updates regarding CVE-2024-37224.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs