PT-2025-47042 · WordPress · Wp Project Manager
Michael Mazzolini
·
Published
2025-11-15
·
Updated
2025-11-15
·
CVE-2025-8994
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
WP Project Manager plugin for WordPress versions prior to 2.6.27
Description
The WP Project Manager plugin for WordPress is susceptible to a time-based SQL Injection issue. This is due to inadequate escaping of user-supplied input and insufficient preparation of existing SQL queries, specifically affecting the
completed at operator parameter. Authenticated attackers with Subscriber-level access or higher can inject additional SQL queries into existing queries to extract sensitive information from the database.Recommendations
Update the WP Project Manager plugin to version 2.6.27 or later.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wp Project Manager