CVE-2025-68040
Lifecycle Timeline
2Description
Insertion of Sensitive Information Into Sent Data vulnerability in weDevs WP Project Manager wedevs-project-manager allows Retrieve Embedded Sensitive Data.This issue affects WP Project Manager: from n/a through <= 3.0.1.
Analysis
WP Project Manager plugin through version 3.0.1 exposes sensitive information in sent data due to improper information handling, allowing attackers to retrieve embedded sensitive data without authentication. The vulnerability affects all installations of the weDevs plugin and has been identified with an extremely low EPSS score (0.05%, 14th percentile), suggesting minimal practical exploitation likelihood despite the information disclosure classification.
Technical Context
This vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), a class of weakness where sensitive information is inadvertently included in data transmissions. In the context of WP Project Manager, a WordPress plugin for project management, the flaw involves the plugin failing to properly sanitize or exclude sensitive data before transmitting it to clients or storing it in accessible locations. The vulnerability does not appear to require specific technical exploitation of a protocol or library; rather, it reflects inadequate information handling practices in the plugin's data processing workflow. The affected product is identified via CPE as the weDevs WP Project Manager WordPress plugin, which is installed directly into WordPress environments and operates within the WordPress REST API and database architecture.
Affected Products
The weDevs WP Project Manager WordPress plugin is affected in all versions from initial release through version 3.0.1 inclusive. The plugin is distributed via the WordPress plugin repository and installed as a WordPress plugin. No specific CPE breakdown by version was provided in the available data, but the vulnerability advisory on Patchstack references the affected version range as ≤3.0.1.
Remediation
Users should upgrade the weDevs WP Project Manager plugin to a version newer than 3.0.1 when available from the plugin developer. The Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/wedevs-project-manager/vulnerability/wordpress-wp-project-manager-plugin-2-6-29-sensitive-data-exposure-vulnerability?_s_id=cve provides the official advisory and may include a specific patched version number and timeline. Until an upgrade is available, site administrators should review plugin permissions, restrict plugin access to trusted users, and monitor for any suspicious data exposure or access logs related to the plugin's functionality.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today