Volerion logoVolerion
Volerion logoVolerion

WP Project Manager SQL Injection Vulnerability

Vulnerability

A SQL injection vulnerability has been identified in the WP Project Manager plugin for WordPress, specifically in versions prior to and including 2.6.16. The vulnerability arises in the '/wp-json/pm/v2/projects/2/task-lists' REST API endpoint, where the 'project_id' parameter is insufficiently sanitized. This flaw allows authenticated attackers with project access to inject additional SQL queries into the existing query, potentially leading to the extraction of sensitive database information.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to access or modify database information. In this case, it could be used to extract sensitive data from the database.

Reproduction

To reproduce this vulnerability, send a request to the '/wp-json/pm/v2/projects/2/task-lists' endpoint with an injected 'project_id' parameter. The injection can be crafted to manipulate the SQL query and extract database information.

Remediation

Users are advised to update the WP Project Manager plugin to version 2.6.17 or later, where this vulnerability has been fixed.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
2.5
exploitability
6.4
remediation
7.7
relevance
0.0
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.