CVE-2021-38315: 
WordPress vulnerability analysis and mitigation

The SP Project & Document Manager WordPress plugin (versions up to and including 4.25) was found to contain a Reflected Cross-Site Scripting vulnerability (CVE-2021-38315). The vulnerability was discovered in August 2021 and affects the plugin through attribute-based XSS via the 'from' and 'to' parameters in the functions.php file (NVD, WPScan).

The vulnerability is classified as a CWE-79 (Improper Neutralization of Input During Web Page Generation) with a CVSS v3.1 Base Score of 6.1 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue allows attackers to inject arbitrary web scripts through the manipulation of the 'from' and 'to' parameters in the plugin's functions.php file (Wordfence).

When exploited, this vulnerability allows attackers to inject and execute arbitrary web scripts in the context of the affected WordPress site. This can lead to potential theft of sensitive information, session hijacking, or other malicious actions performed in the context of the user's browser (WPScan).

The vulnerability was fixed in version 4.26 of the SP Project & Document Manager plugin. Users are advised to update to this version or later to protect against this security issue (WPScan).