CVE-2024-10174
📋 TL;DR
The WP Project Manager plugin for WordPress has an Insecure Direct Object Reference vulnerability that allows unauthenticated attackers to impersonate administrators by manipulating the 'user_id' parameter. This grants access to all plugin REST API routes, potentially compromising project management data and system integrity. All WordPress sites using this plugin up to version 2.6.13 are affected.
💻 Affected Systems
- WP Project Manager – Task, team, and project management plugin for WordPress
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the WordPress site through administrator privilege escalation, allowing data theft, content manipulation, and potential further system compromise.
Likely Case
Unauthorized access to sensitive project management data, task manipulation, and potential data exfiltration from the plugin's functionality.
If Mitigated
Limited impact if proper network segmentation and access controls prevent external exploitation, though internal threats remain.
🎯 Exploit Status
The vulnerability requires minimal technical skill to exploit as it involves simple parameter manipulation in REST API requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.14
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3185807/wedevs-project-manager/trunk/core/Permissions/Abstract_Permission.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WP Project Manager' and click 'Update Now'. 4. Verify the plugin version is 2.6.14 or higher.
🔧 Temporary Workarounds
Disable REST API Access
allTemporarily disable the plugin's REST API endpoints to prevent exploitation while planning permanent fix.
Add 'remove_action("rest_api_init", array($this, "register_routes"));' to theme functions.php or custom plugin
Web Application Firewall Rule
allBlock requests containing suspicious user_id parameter manipulation in REST API endpoints.
WAF specific - create rule to block: /wp-json/pm/v2/* requests with user_id parameter values not matching authenticated user
🧯 If You Can't Patch
- Immediately disable the WP Project Manager plugin until patching is possible
- Implement strict network access controls to limit REST API access to trusted IP addresses only
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for WP Project Manager version 2.6.13 or lower.Check Version:
wp plugin list --name="WP Project Manager" --field=versionVerify Fix Applied:
Confirm plugin version is 2.6.14 or higher in WordPress admin panel and test that user_id parameter manipulation no longer grants unauthorized access.📡 Detection & Monitoring
Log Indicators:
- Unusual REST API requests to /wp-json/pm/v2/* endpoints with modified user_id parameters
- Multiple failed authentication attempts followed by successful admin-level API calls
Network Indicators:
- HTTP POST/GET requests to plugin REST endpoints with user_id parameter values different from authenticated user session
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-json/pm/v2/*" AND (user_id!=session_user OR user_id=1))🔗 References
- https://plugins.trac.wordpress.org/browser/wedevs-project-manager/trunk/core/Permissions/Abstract_Permission.php#L32
- https://plugins.trac.wordpress.org/changeset/3185807/wedevs-project-manager/trunk/core/Permissions/Abstract_Permission.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/dea2d045-d3b4-4b55-8b4f-5baa82a18834?source=cve
