WordPress Plugin Vulnerabilities

WP Project Manager < 2.6.18 - Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update

Description

The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check in the '/pm/v2/settings/notice' endpoint all versions up to, and including, 2.6.17. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cause a persistent denial of service condition.

Affects Plugins

Plugin icon
wedevs-project-manager
Fixed in 2.6.18

References

CVE
CVE-2024-13752
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/bd54a50b-13ce-43ce-bce1-8fe132abc07e

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
6.5 (medium)

Miscellaneous

Original Researcher
Krzysztof Zając
Verified
No
WPVDB ID
576d4b31-f9d3-4d92-874d-151d5a6738d3

Timeline

Publicly Published
2025-02-14 (about 1 year ago)
Added
2025-02-14 (about 1 year ago)
Last Updated
2025-02-15 (about 1 year ago)

Other

Published
Title
Published
2024-10-04
Title
Rank Math SEO < 1.0.229 - Unauthenticated User and Term Metadata Insert/Update/Deletion
Published
2024-12-19
Title
Download Manager < 3.3.04 - Missing Authorization
Published
2024-03-28
Title
Easy Appointments < 3.11.19 - Insufficient Authorization
Published
2025-03-31
Title
Elfsight Testimonials Slider <= 1.0.1 - Missing Authorization
Published
2026-01-19
Title
Custom Fonts – Host Your Fonts Locally < 2.1.17 - Missing Authorization to Unauthenticated Font Deletion