SQL Injection Vulnerability in WP Project Manager Plugin for WordPress
CVE-2024-13500

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: WP Project Manager – Task, Team, And Project Management Plugin Featuring Kanban Board And Gantt Charts
Vendor: CVE Published:; 15 February 2025

Summary

The WP Project Manager plugin, used for task and team management in WordPress, is vulnerable to time-based SQL Injection through the 'orderby' parameter. This vulnerability arises due to inadequate escaping of user-supplied data and insufficient preparation of the existing SQL query. As a result, authenticated attackers with Subscriber-level access and higher can inject additional SQL queries into existing ones, enabling them to extract sensitive information from the database. It is critical for users of this plugin to update to the latest version to mitigate potential risks.

Affected Version(s)

WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts * <= 2.6.17

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/wedevs-project-manager/#dev...

https://plugins.trac.wordpress.org/changeset/3239348/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 15, 2025
Vulnerability Reserved
Jan 16, 2025

Credit

Krzysztof Zając