WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts < 2.6.14 – Insecure Direct Object Reference to Unauthenticated Authorization Bypass | CVE 2024-10174 | Plugin Vulnerabilities

Description

The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.13 via the 'Abstract_Permission' class due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to spoof their identity to that of an administrator and access all of the plugins REST routes.

Affects Plugins

wedevs-project-manager

Fixed in 2.6.14

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/dea2d045-d3b4-4b55-8b4f-5baa82a18834

Classification

Type

IDOR

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

stealthcopter

Verified

No

WPVDB ID

b46c6e0f-0d60-485d-8623-64d3326cbc09

Timeline

Publicly Published

2024-11-12 (about 1 year ago)

Added

2024-11-12 (about 1 year ago)

Last Updated

2024-11-13 (about 1 year ago)

Other

Published

Title

Published

2023-01-27

Title

Quick Restaurant Menu < 2.1.0 - Subscriber+ Arbitrary Post Deletion/Updating

Published

2025-12-29

Title

FiveStar <= 1.7 - Authenticated (Subscriber+) Insecure Direct Object Reference

Published

2024-05-30

Title

Advanced Custom Fields < 6.3 - Contributor+ Custom Field Access

Published

2024-06-03

Title

KiviCare < 3.6.7 - Patient+ Insecure Direct Object Reference

Published

2025-04-07

Title

Streamit < 4.0.3 - Authenticated (Subscriber+) Privilege Escalation via User Email Change/Account Takeover