CVE-2021-4225: 
WordPress vulnerability analysis and mitigation

CVE-2021-4225 is a file upload vulnerability affecting SP Project & Document Manager WordPress plugin versions 4.23 and below. The vulnerability was discovered by pang0lin and publicly disclosed on June 28, 2021. This security issue affects WordPress installations running the SP Project & Document Manager plugin on Windows environments (WPScan).

The vulnerability is a bypass of a previous security fix that attempted to prevent PHP file uploads. While the plugin implements restrictions on file extensions to prevent the upload of PHP files, the security check can be bypassed on Windows servers by appending a dot at the end of the filename (e.g., '1.php.'). Due to Windows file system behavior, the trailing dot is automatically removed, resulting in a valid PHP file on the server (GitHub).

The vulnerability allows authenticated users, including those with low-privilege roles such as subscribers, to upload and execute arbitrary PHP files on affected WordPress installations. This could lead to remote code execution and potentially full server compromise (WPScan).

The vulnerability has been patched in version 4.24 of the SP Project & Document Manager plugin. Site administrators should update to this version or later to protect against this vulnerability (WPScan).