SQL Injection Vulnerability in WP Project Manager Plugin for WordPress
CVE-2024-12195

6.5MEDIUM

Key Information:

Vendor: Wordpress
Status: WP Project Manager – Task, Team, And Project Management Plugin Featuring Kanban Board And Gantt Charts
Vendor: CVE Published:; 4 January 2025

Summary

The WP Project Manager plugin for WordPress is susceptible to SQL Injection through the 'project_id' parameter of the /wp-json/pm/v2/projects/2/task-lists REST API endpoint. This vulnerability arises from inadequate input sanitization, which permits authenticated users with project access to append malicious SQL queries to legitimate database queries. Consequently, this can lead to unauthorized access and potential extraction of sensitive information from the database. All versions of the plugin up to and including 2.6.16 are impacted, highlighting the need for immediate updates to protect against potential exploitation.

Affected Version(s)

WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts * <= 2.6.16

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/wedevs-project...

https://plugins.trac.wordpress.org/changeset/3213295/wede...

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 4, 2025
Vulnerability Reserved
Dec 4, 2024

Credit

Trương Hữu Phúc (truonghuuphuc)