WordPress Plugin Vulnerabilities

WP Project Manager < 2.6.8 - Missing Authorization

Description

The WP Project Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on an unknown function in versions up to, and including, 2.6.7. This makes it possible for unauthenticated attackers to perform an unauthorized action.

Affects Plugins

Plugin icon
wedevs-project-manager
Fixed in 2.6.8

References

CVE
CVE-2023-40003
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f83a6631-ff6c-422e-8b6c-49576fadb89f

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
lttn
Verified
No
WPVDB ID
37af38ce-2310-4116-836b-8cadc3603900

Timeline

Publicly Published
2023-12-07 (about 2 years ago)
Added
2023-12-10 (about 2 years ago)
Last Updated
2024-02-19 (about 2 years ago)

Other

Published
Title
Published
2024-12-19
Title
Royal Elementor Addons < 1.7.1002 - Missing Authorization
Published
2025-12-03
Title
Frontend Admin by DynamiApps < 3.28.21 - Unauthenticated Arbitrary Options Update
Published
2026-04-16
Title
wpForo Forum < 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Forum Post Modification via 'guestposting' Parameter
Published
2026-02-09
Title
Travel Booking < 1.4.0 - Missing Authorization
Published
2025-01-14
Title
Setup Default Featured Image < 1.3 - Missing Authorization