WordPress Plugin Vulnerabilities

WP Project Manager < 2.4.14 - Authenticated Stored Cross-Site Scripting

Description

The plugin does not sanitise and escape the Task field when adding one to a Project, which could allow authenticated users being to create projects and tasks to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
wedevs-project-manager
Fixed in 2.4.14

References

CVE
CVE-2021-36826
YouTube Video

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Jorgson
Verified
Yes
WPVDB ID
1badc460-ec75-4e92-8544-2b5deb6457f6

Timeline

Publicly Published
2021-11-10 (about 4 years ago)
Added
2022-04-04 (about 4 years ago)
Last Updated
2023-02-03 (about 3 years ago)

Other

Published
Title
Published
2023-04-03
Title
Albo Pretorio Online < 4.6.2 - Reflected XSS
Published
2024-08-16
Title
Button contact VR < 4.7.8 - Admin+ Stored XSS
Published
2025-05-02
Title
IGIT Related Posts With Thumb Image After Posts <= 4.5.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting
Published
2025-03-24
Title
AI Preloader <= 1.0.2 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2024-03-25
Title
Shipping with Venipak for WooCommerce < 1.19.6 - Reflected Cross-Site Scripting via 'venipak_labels_link'