CVE-2024-10520

WP Project Manager <= 2.6.14 - Missing Authorization to Project Milestone and Task Creation/Deletion

Severity Score

5.3

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Attend

*SSVC

Descriptions

The WP Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'check' method of the 'Create_Milestone', 'Create_Task_List', 'Create_Task', and 'Delete_Task' classes in version 2.6.14. This makes it possible for unauthenticated attackers to create milestones, create task lists, create tasks, or delete tasks in any project. NOTE: Version 2.6.14 implemented a partial fix for this vulnerability.

El complemento WP Project Manager para WordPress es vulnerable a la modificación no autorizada de datos debido a una verificación de capacidad faltante en el método 'check' de las clases 'Create_Milestone', 'Create_Task_List', 'Create_Task' y 'Delete_Task' en la versión 2.6.14. Esto hace posible que atacantes no autenticados creen hitos, listas de tareas, tareas o eliminen tareas en cualquier proyecto. NOTA: La versión 2.6.14 implementó una corrección parcial para esta vulnerabilidad.

*Credits: Noah Stead

CVSS Scores

Wordfencev3.1 5.3

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

None

Automatable

Yes

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-10-29 CVE Reserved
2024-11-19 CVE Published
2024-11-20 CVE Updated
2024-12-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-862: Missing Authorization

CAPEC

References (2)

URL	Tag	Source
https://plugins.trac.wordpress.org/changeset/3191204/wedevs-project-manager
https://www.wordfence.com/threat-intel/vulnerabilities/id/497760a8-7d4a-45a0-91e4-a8ee27bcdb02?source=cve

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Wedevs Search vendor "Wedevs"		WP Project Manager – Task, Team, And Project Management Plugin Featuring Kanban Board And Gantt Charts Search vendor "Wedevs" for product "WP Project Manager – Task, Team, And Project Management Plugin Featuring Kanban Board And Gantt Charts"				<= 2.6.14 Search vendor "Wedevs" for product "WP Project Manager – Task, Team, And Project Management Plugin Featuring Kanban Board And Gantt Charts" and version " <= 2.6.14"		en		Affected