Description
Use of Hard-coded Credentials vulnerability in weDevs WP Project Manager wedevs-project-manager allows Retrieve Embedded Sensitive Data.This issue affects WP Project Manager: from n/a through <= 2.6.25.
Published: 2025-09-22
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is a hard‑coded credentials issue that lets a malicious actor authenticate to the WP Project Manager plugin and extract sensitive data that is otherwise protected. The vulnerability is limited to data confidentiality erosion; it does not provide arbitrary code execution or denial of service. The weakness is classified as CWE‑798.

Affected Systems

The vulnerability exists in the weDevs WP Project Manager plugin for WordPress, affecting all releases up to and including version 2.6.25. Any WordPress site that has this plugin installed and has not been updated beyond that version could be impacted.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk, while the EPSS score of less than 1% suggests that exploitation is currently unlikely and no publicly known exploits exist. The vulnerability is not listed in the CISA KEV catalog, further indicating a low exploitation probability. The likely attack vector is a remote web request directed at the plugin’s authentication endpoints, which bypasses normal security checks due to the hard‑coded credentials.

Generated by OpenCVE AI on April 30, 2026 at 01:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Project Manager plugin to the latest version (2.6.26 or later).
  • If an immediate upgrade is not possible, disable the plugin or block all incoming requests to its endpoints until a patch is applied.
  • Remove or restrict any hard‑coded credential usage within the plugin configuration by editing or auditing the code and applying restrictions on administrative access.

Generated by OpenCVE AI on April 30, 2026 at 01:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30519 Use of Hard-coded Credentials vulnerability in weDevs WP Project Manager allows Retrieve Embedded Sensitive Data. This issue affects WP Project Manager: from n/a through 2.6.25.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Use of Hard-coded Credentials vulnerability in weDevs WP Project Manager allows Retrieve Embedded Sensitive Data. This issue affects WP Project Manager: from n/a through 2.6.25. Use of Hard-coded Credentials vulnerability in weDevs WP Project Manager wedevs-project-manager allows Retrieve Embedded Sensitive Data.This issue affects WP Project Manager: from n/a through <= 2.6.25.
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Tue, 23 Sep 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 23 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Wedevs
Wedevs wp Project Manager
Wordpress
Wordpress wordpress
Vendors & Products Wedevs
Wedevs wp Project Manager
Wordpress
Wordpress wordpress

Mon, 22 Sep 2025 18:30:00 +0000

Type Values Removed Values Added
Description Use of Hard-coded Credentials vulnerability in weDevs WP Project Manager allows Retrieve Embedded Sensitive Data. This issue affects WP Project Manager: from n/a through 2.6.25.
Title WordPress WP Project Manager Plugin <= 2.6.25 - Sensitive Data Exposure Vulnerability
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Wedevs Wp Project Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:43.733Z

Reserved: 2025-08-27T16:20:02.775Z

Link: CVE-2025-58269

cve-icon Vulnrichment

Updated: 2025-09-23T15:59:49.823Z

cve-icon NVD

Status : Deferred

Published: 2025-09-22T19:16:13.687

Modified: 2026-04-23T15:33:25.240

Link: CVE-2025-58269

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T01:45:06Z

Weaknesses