CVE CyberSecurity Database News

CVE-2024-24868 - SQL Injection Vulnerability in Smartypants SP Project & Document Manager (Through 4.69)

Poster -

If you are managing files or projects using the Smartypants SP Project & Document Manager, you need to read this. A new critical vulnerability, CVE-2024-24868, was disclosed recently that puts your website’s data and your users’ privacy at risk.

Let’s break down what’s going on, how this can be exploited, what you should do, and show you real code samples so you can spot and fix this issue if needed.

What is CVE-2024-24868?

This vulnerability is a classic SQL Injection flaw, classified as "Improper Neutralization of Special Elements used in an SQL Command". In simpler terms, the plugin does not properly clean (sanitize) user inputs before sending them into the database. A malicious user can trick the system to run their own SQL commands—exposing or destroying confidential data.

Affected Versions:
All versions up to 4.69 (possibly earlier versions too; exact versions not specified by the vendor, so latest patch is always best).

Product:
SP Project & Document Manager

Backdoor installation: Malicious code can be injected for persistent attacks.

This vulnerability scored high (Critical) in CVSS, since SQL Injection is one of the most dangerous web risks.

The Exploit: How Attackers Abuse This

The flaw lies in the plugin handling user input in SQL queries without proper preparation or parameterization.

Attack scenario

1. Attacker finds a form or URL parameter affected by the plugin (for example, searching, filtering, or viewing documents).

Malicious SQL code is inserted in the input field.

3. If the plugin just appends this input directly into a SQL query, the database executes whatever was written there.

Suppose there is a vulnerable parameter file_id used in a request like so

https://yourwebsite.com/wp-admin/admin.php?page=sp-client-document-manager&file_id=15

If the code behind simply inserts file_id without checks

$file_id = $_GET['file_id'];
$sql = "SELECT * FROM wp_sp_files WHERE id = $file_id"; 
$results = $wpdb->get_results($sql);

An attacker could change the URL to

https://yourwebsite.com/wp-admin/admin.php?page=sp-client-document-manager&file_id=15%20OR%201=1

Now the query becomes

SELECT * FROM wp_sp_files WHERE id = 15 OR 1=1

This returns every file (since 1=1 is always true), potentially revealing private data to unauthorized users.

Worse attacks are possible, such as leaking user accounts, passwords (if not properly hashed), etc.

Let’s say a logged-in lower-level user submits

15 UNION SELECT user_login, user_pass, NULL, NULL FROM wp_users --

So, the query becomes

SELECT * FROM wp_sp_files WHERE id = 15
UNION SELECT user_login, user_pass, NULL, NULL FROM wp_users --

Now the response could contain WordPress usernames and hashes!

Update the Plugin:

The developer has released a fix in version 4.70 (check official changelog). Always keep plugins updated!

Replace unsafe SQL concatenation with prepared statements. For WordPress, use $wpdb->prepare()

$file_id = intval($_GET['file_id']);
$sql = $wpdb->prepare("SELECT * FROM wp_sp_files WHERE id = %d", $file_id);
$results = $wpdb->get_results($sql);

Restrict Permissions:

Lock down file/project access to only those who need it.

Bonus Tip:

Install a Web Application Firewall (like Wordfence).

References & Credits

- CVE-2024-24868 at NVD
- WordPress.org Plugin Page
- Smartypants Plugins Home
- OWASP SQL Injection Cheat Sheet

Conclusion

CVE-2024-24868 is a high-risk vulnerability in a widely-used WordPress document management plugin. If you run any version up to 4.69, you need to update _NOW_. Always code defensively, sanitize every input, and keep your software current.

If you have any doubts about your setup, disable the plugin until you’re secure.

Stay safe, keep learning—and patch early! If you found this post useful, consider sharing it with other site admins.

Timeline

Published on: 02/28/2024 13:15:08 UTC
Last modified on: 02/28/2024 14:06:45 UTC