WordPress Plugin Vulnerabilities

WP Project Manager < 2.6.1 - Subscriber+ SQLi

Description

The plugin does not properly sanitise and escape the user task starting date parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscriber

Affects Plugins

Plugin icon
wedevs-project-manager
Fixed in 2.6.1

References

CVE
CVE-2023-34383

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
7.7 (high)

Miscellaneous

Original Researcher
Theodoros Malachias
Verified
No
WPVDB ID
500f237e-48be-4388-a9a5-cb21e98284e6

Timeline

Publicly Published
2023-09-04 (about 2 years ago)
Added
2023-11-15 (about 2 years ago)
Last Updated
2023-11-15 (about 2 years ago)

Other

Published
Title
Published
2019-07-25
Title
Blog2Social < 5.6.0 - SQL Injection
Published
2024-12-13
Title
WP Job Portal < 2.2.3 - Unauthenticated SQL Injection
Published
2023-01-23
Title
WP TripAdvisor Review Slider < 10.8 - Subscriber+ SQLi
Published
2025-07-16
Title
Pinterest Automatic Pin < 4.19.0 - Authenticated (Subscriber+) SQL Injection
Published
2022-08-30
Title
WP < 6.0.2 - SQLi via Link API