CVE-2024-10174

HIGH

WP Project Manager <2.6.13 - Insecure Direct Object Reference

Title source: llm

Description

The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.13 via the 'Abstract_Permission' class due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to spoof their identity to that of an administrator and access all of the plugins REST routes.

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/browser/wedevs-project-manager/trunk/core/Permissions/Abstract_Permission.php#L32

Patch

https://plugins.trac.wordpress.org/changeset/3185807/wedevs-project-manager/trunk/core/Permissions/Abstract_Permission.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/dea2d045-d3b4-4b55-8b4f-5baa82a18834?source=cve

Scores

CVSS v3 7.3

EPSS 0.0031

EPSS Percentile 54.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (2)

wedevs/Project Manager – AI Powered Project Management, Task Management, Kanban Board & Time Tracker < 2.6.13

wedevs/wp_project_manager < 2.6.14

Published Nov 13, 2024

Tracked Since Feb 18, 2026