Description
Insertion of Sensitive Information Into Sent Data vulnerability in weDevs WP Project Manager wedevs-project-manager allows Retrieve Embedded Sensitive Data.This issue affects WP Project Manager: from n/a through <= 3.0.1.
Published: 2025-12-29
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Exposure
Action: Update Plugin
AI Analysis

Impact

The issue is an insertion of sensitive information into data that is sent to users. It allows an attacker to retrieve embedded sensitive data such as credentials or private information. The weakness is classified as CWE‑201, indicating that confidentiality of data is at risk when it is inadvertently exposed to the client.

Affected Systems

The vulnerability affects the weDevs WP Project Manager WordPress plugin, versions from the earliest available release through 3.0.1 inclusive. Any WordPress site running any of those versions is potentially impacted.

Risk and Exploitability

The CVSS base score of 6.5 rates the vulnerability as moderate. The EPSS score is less than 1 %, indicating a very low but non‑zero exploitation probability. It is not listed in the CISA KEV catalog. The exact attack vector is not detailed in the advisory, but the vulnerability is likely triggered by interacting with plugin input fields or endpoints that expose data in responses. An attacker who can reach the site would be able to recover sensitive data leaked by the plugin.

Generated by OpenCVE AI on April 27, 2026 at 22:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WP Project Manager plugin to version 3.0.2 or later to remove the data‑exposure flaw.
  • If the plugin is not essential, deactivate and uninstall it to eliminate the risk surface.
  • Review any data that may have been exposed by the plugin (such as stored passwords or secrets) and reset those credentials where appropriate.

Generated by OpenCVE AI on April 27, 2026 at 22:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in weDevs WP Project Manager wedevs-project-manager allows Retrieve Embedded Sensitive Data.This issue affects WP Project Manager: from n/a through 3.0.1. Insertion of Sensitive Information Into Sent Data vulnerability in weDevs WP Project Manager wedevs-project-manager allows Retrieve Embedded Sensitive Data.This issue affects WP Project Manager: from n/a through <= 3.0.1.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Wedevs
Wedevs wp Project Manager
Wordpress
Wordpress wordpress
Vendors & Products Wedevs
Wedevs wp Project Manager
Wordpress
Wordpress wordpress

Tue, 30 Dec 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 29 Dec 2025 23:30:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in weDevs WP Project Manager wedevs-project-manager allows Retrieve Embedded Sensitive Data.This issue affects WP Project Manager: from n/a through 3.0.1.
Title WordPress WP Project Manager plugin <= 3.0.1 - Sensitive Data Exposure vulnerability
Weaknesses CWE-201
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wedevs Wp Project Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:13:56.082Z

Reserved: 2025-12-15T10:01:07.754Z

Link: CVE-2025-68040

cve-icon Vulnrichment

Updated: 2025-12-30T15:53:28.057Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T00:15:52.190

Modified: 2026-04-23T15:35:52.150

Link: CVE-2025-68040

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T22:15:15Z

Weaknesses