Skip to main content

Wp Project Manager CVE-2024-10520

MEDIUM
Missing Authorization (CWE-862)
2024-11-20 security@wordfence.com
5.3
CVSS 3.1 · Vendor: wordfence
Share

Severity by source

Vendor (wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from Vendor (wordfence) · only source for this CVE.

CVSS VectorVendor: wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

1
CVE Published
Nov 20, 2024 - 12:15 cve.org
MEDIUM 5.3

DescriptionCVE.org

The WP Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'check' method of the 'Create_Milestone', 'Create_Task_List', 'Create_Task', and 'Delete_Task' classes in version 2.6.14. This makes it possible for unauthenticated attackers to create milestones, create task lists, create tasks, or delete tasks in any project. NOTE: Version 2.6.14 implemented a partial fix for this vulnerability.

AnalysisAI

The WP Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'check' method of the 'Create_Milestone', 'Create_Task_List',. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Missing Authorization (CWE-862), which allows attackers to access resources or perform actions without proper authorization checks. The WP Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'check' method of the 'Create_Milestone', 'Create_Task_List', 'Create_Task', and 'Delete_Task' classes in version 2.6.14. This makes it possible for unauthenticated attackers to create milestones, create task lists, create tasks, or delete tasks in any project. NOTE: Version 2.6.14 implemented a partial fix for this vulnerability. Affected products include: Wedevs Wp Project Manager. Version information: version 2.6.14..

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Implement role-based access control, validate authorization on every request server-side, apply principle of least privilege.

CVE-2023-3636 HIGH
8.8 Aug 31

The WP Project Manager plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 2.6.

CVE-2024-10174 HIGH
7.3 Nov 13

The WP Project Manager - Task, team, and project management plugin featuring kanban board and gantt charts plugin for Wo

CVE-2024-13752 MEDIUM
6.5 Feb 15

The WP Project Manager - Task, team, and project management plugin featuring kanban board and gantt charts plugin for Wo

CVE-2023-49860 MEDIUM
6.5 Dec 14

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weDevs WP Project

CVE-2024-13500 MEDIUM
6.5 Feb 15

The WP Project Manager - Task, team, and project management plugin featuring kanban board and gantt charts plugin for Wo

CVE-2024-10548 MEDIUM
6.5 Dec 19

The WP Project Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and i

CVE-2025-2541 MEDIUM
6.4 Apr 11

The WP Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all ver

CVE-2025-3100 MEDIUM
6.4 Apr 09

The WP Project Manager - Task, team, and project management plugin featuring kanban board and gantt charts plugin for Wo

CVE-2020-36745 MEDIUM
4.3 Jul 01

The WP Project Manager plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including

CVE-2024-12195 MEDIUM
6.5 Jan 04

The WP Project Manager - Task, team, and project management plugin featuring kanban board and gantt charts plugin for Wo

Share

CVE-2024-10520 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy