CVE-2024-10548

MEDIUM

WP Project Manager <= 2.6.15 - Authenticated Sensitive Information Exposure via Project Task List REST API

Title source: llm

Description

The WP Project Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.6.15 via the Project Task List ('/wp-json/pm/v2/projects/1/task-lists') REST API endpoint. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including the hashed passwords of project owners (e.g. adminstrators).

References (2)

Core 2

Core References

Patch

https://plugins.trac.wordpress.org/changeset/3206717/wedevs-project-manager/tags/2.6.16/src/Task_List/Controllers/Task_List_Controller.php

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/a21b7c40-2090-4262-9105-346db2325612?source=cve

Scores

CVSS v3 6.5

EPSS 0.0038

EPSS Percentile 30.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (2)

wedevs/Project Manager – AI Powered Project Management, Task Management, Kanban Board & Time Tracker < 2.6.15

wedevs/wp_project_manager < 2.6.16

Published Dec 19, 2024

Tracked Since Feb 18, 2026