CVE-2014-9178

Smarty Pants Plugins SP Project & Document Manager <2.4.1 - SQL Inj...

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2014-9178. PoCs published by ITAS Team.

AI-analyzed exploit summary The document describes multiple SQL injection vulnerabilities in the SP Client Document Manager WordPress plugin (version 2.4.1 and earlier). It details vulnerable endpoints and code snippets, including blind SQLi via POST parameters and direct SQLi via GET parameters.

Description

Multiple SQL injection vulnerabilities in classes/ajax.php in the Smarty Pants Plugins SP Project & Document Manager plugin (sp-client-document-manager) 2.4.1 and earlier for WordPress allow remote attackers to execute arbitrary SQL commands via the (1) vendor_email[] parameter in the email_vendor function or id parameter in the (2) download_project, (3) download_archive, or (4) remove_cat function.

Exploits (1)

exploitdb WRITEUP VERIFIED
by ITAS Team · textwebappsphp
https://www.exploit-db.com/exploits/35313

The document describes multiple SQL injection vulnerabilities in the SP Client Document Manager WordPress plugin (version 2.4.1 and earlier). It details vulnerable endpoints and code snippets, including blind SQLi via POST parameters and direct SQLi via GET parameters.

Classification
Writeup 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: SP Client Document Manager WordPress plugin <= 2.4.1
No auth needed
Prerequisites: Access to vulnerable WordPress plugin endpoints
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Scores

EPSS 0.0474
EPSS Percentile 90.7%

Details

CWE
CWE-89
Status published
Products (1)
smartypantsplugins/sp_project_\&_document_manager < 2.4.1
Published Dec 02, 2014
Tracked Since Feb 18, 2026