WordPress Plugin Vulnerabilities

Project Manager < 3.0.2 - Authenticated (Subscriber+) Information Exposure

Description

The Project Manager – AI-Powered Project & Task Manager with Kanban Board & Gantt Chart plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.

Affects Plugins

Plugin icon
wedevs-project-manager
Fixed in 3.0.2

References

CVE
CVE-2025-68040
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/0d1456bb-9ecb-406e-b1c8-b582bee094a9

Classification

Type
SENSITIVE DATA DISCLOSURE
OWASP top 10
A3: Sensitive Data Exposure
CWE
CWE-200
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
MD ISMAIL
Verified
No
WPVDB ID
46d910e3-7e87-4829-b797-54d277cee7f5

Timeline

Publicly Published
2025-12-26 (about 4 months ago)
Added
2026-01-05 (about 4 months ago)
Last Updated
2026-01-27 (about 3 months ago)

Other

Published
Title
Published
2026-02-02
Title
Tutor LMS < 3.9.6 - Authenticated (Subscriber+) Information Disclosure in Coupon Details via 'tutor_coupon_details' AJAX Action
Published
2024-02-26
Title
WooCommerce Coupon Popup, SmartBar, Slide In | MyShopKit <= 1.0.9 - Unauthenticated Sensitive Information Exposure
Published
2025-09-26
Title
FoodBook < 4.7.7 - Unauthenticated Sensitive Information Exposure
Published
2024-08-12
Title
Order Export for WooCommerce < 3.24 - Unauthenticated Sensitive Information Exposure
Published
2025-12-21
Title
Eight Day Week Print Workflow < 1.2.6 - Authenticated (Custom+) Information Exposure