Vulnerability Description
The WP Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'check' method of the 'Create_Milestone', 'Create_Task_List', 'Create_Task', and 'Delete_Task' classes in version 2.6.14. This makes it possible for unauthenticated attackers to create milestones, create task lists, create tasks, or delete tasks in any project. NOTE: Version 2.6.14 implemented a partial fix for this vulnerability.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Wedevs | Wp Project Manager | < 2.6.15 |
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/changeset/3191204/wedevs-project-managerBroken Link
- https://www.wordfence.com/threat-intel/vulnerabilities/id/497760a8-7d4a-45a0-91eThird Party Advisory
FAQ
What is CVE-2024-10520?
CVE-2024-10520 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The WP Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the 'check' method of the 'Create_Milestone', 'Create_Task_List', 'C...
How severe is CVE-2024-10520?
CVE-2024-10520 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-10520?
Check the references section above for vendor advisories and patch information. Affected products include: Wedevs Wp Project Manager.