CVE-2024-3748: 
WordPress vulnerability analysis and mitigation

The SP Project & Document Manager WordPress plugin through version 4.71 contains a vulnerability related to missing validation in its upload function. The vulnerability was discovered and disclosed on April 24, 2024, and is tracked as CVE-2024-3748. This security flaw affects the sp-client-document-manager plugin and currently has no known fix (WPScan).

The vulnerability is classified as an Insecure Direct Object Reference (IDOR) issue, falling under the OWASP Top 10 category A5: Broken Access Control. The flaw allows users to manipulate the user_id parameter during file uploads, making it appear that files were uploaded by different users. The vulnerability has received a CVSS score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N (WPScan, NVD).

The vulnerability allows attackers to manipulate file upload attribution, potentially leading to unauthorized file uploads appearing as if they were submitted by other users. Additionally, the upload directory can be manipulated by changing the pid parameter (WPScan).

Currently, there is no known fix available for this vulnerability in the SP Project & Document Manager WordPress plugin. Users should consider implementing additional access controls or monitoring systems until a patch is released (WPScan).