Description
The Project Management, Team Collaboration, Kanban Board, Gantt Charts, Task Manager and More – WP Project Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘completed_at_operator’ parameter in all versions up to, and including, 2.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2025-11-15
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection enabling data exfiltration
Action: Apply Patch
AI Analysis

Impact

WP Project Manager plugin is vulnerable to a time‑based SQL injection via the ‘completed_at_operator’ parameter. The injection arises from insufficient escaping and a lack of prepared statements, allowing an attacker to append additional SQL clauses. Because the vulnerability can be exploited only by authenticated users with Subscriber role or higher, an attacker can extract sensitive information from the database by injecting payloads that alter query logic.

Affected Systems

WordPress sites running the WP Project Manager plugin by WeDevs, any version up to and including 2.6.26 are affected. Vendors affected are WeDevs with the Project Manager plugin. Exact versions impacted are 2.6.26 and all earlier releases.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity level. The EPSS score of less than 1% suggests very low probability of exploitation in the wild, and the vulnerability is not listed in CISA’s KEV catalog. Attackers would need authenticated access with Subscriber privileges or higher, which limits the reach but still poses a threat to organizations with many authorized users.

Generated by OpenCVE AI on April 21, 2026 at 01:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update WP Project Manager to version 2.6.27 or later to remove the vulnerable code path.
  • If an update cannot be applied immediately, restrict authentication by revoking Subscriber‑level abilities that allow access to the affected functionality.
  • Implement input sanitization for the ‘completed_at_operator’ parameter, escaping characters that could terminate the query or inject SQL conditions.
  • Continue to monitor WordPress logs for unusual database queries that could indicate exploitation attempts.

Generated by OpenCVE AI on April 21, 2026 at 01:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 24 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 17 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 15 Nov 2025 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Wedevs
Wedevs wp Project Manager
Wordpress
Wordpress wordpress
Vendors & Products Wedevs
Wedevs wp Project Manager
Wordpress
Wordpress wordpress

Sat, 15 Nov 2025 06:00:00 +0000

Type Values Removed Values Added
Description The Project Management, Team Collaboration, Kanban Board, Gantt Charts, Task Manager and More – WP Project Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘completed_at_operator’ parameter in all versions up to, and including, 2.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title WP Project Manager <= 2.6.26 - Authenticated (Subscriber+) SQL Injection via 'completed_at_operator'
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Wedevs Wp Project Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:01:10.944Z

Reserved: 2025-08-13T17:15:06.350Z

Link: CVE-2025-8994

cve-icon Vulnrichment

Updated: 2025-11-17T18:45:30.770Z

cve-icon NVD

Status : Deferred

Published: 2025-11-15T06:15:43.980

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-8994

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T01:45:24Z

Weaknesses