Unauthorized Data Modification Vulnerability in WP Project Manager for WordPress
CVE-2024-10520

5.3MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Project Manager – Task, Team, And Project Management Plugin Featuring Kanban Board And Gantt Charts
Vendor: CVE Published:; 20 November 2024

Summary

The WP Project Manager plugin for WordPress is impacted by a vulnerability that permits unauthorized users to manipulate project data. This arises from a missing capability check in the 'check' method used within the 'Create_Milestone', 'Create_Task_List', 'Create_Task', and 'Delete_Task' classes. As a result, unauthenticated attackers can create or delete milestones, task lists, and tasks across any projects, potentially leading to significant disruption and unauthorized alterations of project management resources. It's important to note that version 2.6.14 has only implemented a partial fix, highlighting the need for secure coding practices and prompt remediation.

Affected Version(s)

WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts * <= 2.6.14

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3191204/wede...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 20, 2024
Vulnerability Reserved
Oct 29, 2024

Credit

Noah Stead