We use these services and cookies to improve your user experience. You may opt out if you wish, however, this may limit some features on this site.

Please see our statement on Data Privacy.

Crisp.chat (Helpdesk and Chat)

Ok

THREATINT
PUBLISHED

CVE-2024-10520

WP Project Manager <= 2.6.14 - Missing Authorization to Project Milestone and Task Creation/Deletion



Description

The WP Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'check' method of the 'Create_Milestone', 'Create_Task_List', 'Create_Task', and 'Delete_Task' classes in version 2.6.14. This makes it possible for unauthenticated attackers to create milestones, create task lists, create tasks, or delete tasks in any project. NOTE: Version 2.6.14 implemented a partial fix for this vulnerability.

Reserved 2024-10-29 | Published 2024-11-20 | Updated 2024-11-20 | Assigner Wordfence


MEDIUM: 5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Problem types

CWE-862 Missing Authorization

Product status

Default status
unaffected

*
affected

Timeline

2024-10-30:Vendor Notified
2024-11-19:Disclosed

Credits

Noah Stead finder

References

www.wordfence.com/...-7d4a-45a0-91e4-a8ee27bcdb02?source=cve

plugins.trac.wordpress.org/...3191204/wedevs-project-manager

cve.org (CVE-2024-10520)

nvd.nist.gov (CVE-2024-10520)

Download JSON

Share this page
https://cve.threatint.com/CVE/CVE-2024-10520

Support options

Helpdesk Chat, Email, Knowledgebase
Telegram Chat
Subscribe to our newsletter to learn more about our work.