The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.13 via the 'Abstract_Permission' class due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to spoof their identity to that of an administrator and access all of the plugins REST routes.
Metrics
Affected Vendors & Products
References
History
Wed, 13 Nov 2024 16:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Wedevs
Wedevs wp Project Manager |
|
CPEs | cpe:2.3:a:wedevs:wp_project_manager:-:*:*:*:*:wordpress:*:* | |
Vendors & Products |
Wedevs
Wedevs wp Project Manager |
|
Metrics |
ssvc
|
Wed, 13 Nov 2024 03:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.6.13 via the 'Abstract_Permission' class due to missing validation on the 'user_id' user controlled key. This makes it possible for unauthenticated attackers to spoof their identity to that of an administrator and access all of the plugins REST routes. | |
Title | WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts <= 2.6.13 - Insecure Direct Object Reference to Unauthenticated Authorization Bypass | |
Weaknesses | CWE-639 | |
References |
|
|
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-11-13T03:20:08.239Z
Updated: 2024-11-13T15:41:35.962Z
Reserved: 2024-10-18T20:10:52.227Z
Link: CVE-2024-10174
Vulnrichment
Updated: 2024-11-13T15:41:29.431Z
NVD
Status : Awaiting Analysis
Published: 2024-11-13T04:15:03.553
Modified: 2024-11-13T17:01:16.850
Link: CVE-2024-10174
Redhat
No data.