Wp Project Manager
CVE-2024-10520
MEDIUM
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from Vendor (wordfence) · only source for this CVE.
CVSS VectorVendor: wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
The WP Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'check' method of the 'Create_Milestone', 'Create_Task_List', 'Create_Task', and 'Delete_Task' classes in version 2.6.14. This makes it possible for unauthenticated attackers to create milestones, create task lists, create tasks, or delete tasks in any project. NOTE: Version 2.6.14 implemented a partial fix for this vulnerability.
AnalysisAI
The WP Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'check' method of the 'Create_Milestone', 'Create_Task_List',. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Technical ContextAI
This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. The WP Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'check' method of the 'Create_Milestone', 'Create_Task_List', 'Create_Task', and 'Delete_Task' classes in version 2.6.14. This makes it possible for unauthenticated attackers to create milestones, create task lists, create tasks, or delete tasks in any project. NOTE: Version 2.6.14 implemented a partial fix for this vulnerability. Affected products include: Wedevs Wp Project Manager. Version information: version 2.6.14..
RemediationAI
No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.
More in Wp Project Manager
View allThe WP Project Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.
The WP Project Manager - Task, team, and project management plugin featuring kanban board and gantt charts plugin for Wo
The WP Project Manager - Task, team, and project management plugin featuring kanban board and gantt charts plugin for Wo
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weDevs WP Project
The WP Project Manager - Task, team, and project management plugin featuring kanban board and gantt charts plugin for Wo
The WP Project Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and i
The WP Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all ver
The WP Project Manager - Task, team, and project management plugin featuring kanban board and gantt charts plugin for Wo
The WP Project Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including
The WP Project Manager - Task, team, and project management plugin featuring kanban board and gantt charts plugin for Wo
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today