CVE-2025-68040
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Insertion of Sensitive Information Into Sent Data vulnerability in weDevs WP Project Manager wedevs-project-manager allows Retrieve Embedded Sensitive Data.This issue affects WP Project Manager: from n/a through <= 3.0.1.
AnalysisAI
WP Project Manager plugin through version 3.0.1 exposes sensitive information in sent data due to improper information handling, allowing attackers to retrieve embedded sensitive data without authentication. The vulnerability affects all installations of the weDevs plugin and has been identified with an extremely low EPSS score (0.05%, 14th percentile), suggesting minimal practical exploitation likelihood despite the information disclosure classification.
Technical ContextAI
This vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), a class of weakness where sensitive information is inadvertently included in data transmissions. In the context of WP Project Manager, a WordPress plugin for project management, the flaw involves the plugin failing to properly sanitize or exclude sensitive data before transmitting it to clients or storing it in accessible locations. The vulnerability does not appear to require specific technical exploitation of a protocol or library; rather, it reflects inadequate information handling practices in the plugin's data processing workflow. The affected product is identified via CPE as the weDevs WP Project Manager WordPress plugin, which is installed directly into WordPress environments and operates within the WordPress REST API and database architecture.
Affected ProductsAI
The weDevs WP Project Manager WordPress plugin is affected in all versions from initial release through version 3.0.1 inclusive. The plugin is distributed via the WordPress plugin repository and installed as a WordPress plugin. No specific CPE breakdown by version was provided in the available data, but the vulnerability advisory on Patchstack references the affected version range as ≤3.0.1.
RemediationAI
Users should upgrade the weDevs WP Project Manager plugin to a version newer than 3.0.1 when available from the plugin developer. The Patchstack vulnerability database entry at https://patchstack.com/database/Wordpress/Plugin/wedevs-project-manager/vulnerability/wordpress-wp-project-manager-plugin-2-6-29-sensitive-data-exposure-vulnerability?_s_id=cve provides the official advisory and may include a specific patched version number and timeline. Until an upgrade is available, site administrators should review plugin permissions, restrict plugin access to trusted users, and monitor for any suspicious data exposure or access logs related to the plugin's functionality.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today