CVE-2024-10520

Name of the Vulnerable Software and Affected Versions WP Project Manager plugin for WordPress version 2.6.14

Description The WP Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the check method of the Create Milestone, Create Task List, Create Task, and Delete Task classes. This makes it possible for unauthenticated attackers to create milestones, create task lists, create tasks, or delete tasks in any project.

Recommendations For version 2.6.14, consider updating to a newer version that fully addresses this issue, as version 2.6.14 only implemented a partial fix. As a temporary workaround, consider disabling the check method in the Create Milestone, Create Task List, Create Task, and Delete Task classes until a patch is available. Restrict access to the Create Milestone, Create Task List, Create Task, and Delete Task classes to minimize the risk of exploitation.