CVE-2024-10548
📋 TL;DR
The WP Project Manager WordPress plugin exposes hashed passwords and other sensitive data through an insecure REST API endpoint. Authenticated attackers with Subscriber-level access or higher can exploit this vulnerability to extract administrator credentials. All WordPress sites using WP Project Manager versions up to 2.6.15 are affected.
💻 Affected Systems
- WP Project Manager WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers obtain administrator password hashes, crack them offline, gain full administrative access to the WordPress site, and potentially compromise the entire server.
Likely Case
Attackers extract sensitive project data and administrator password hashes, enabling credential stuffing attacks and unauthorized access to project management functions.
If Mitigated
With proper access controls and monitoring, attackers might extract limited data but cannot escalate privileges or cause significant damage.
🎯 Exploit Status
Exploitation requires authenticated access (Subscriber role or higher). Simple HTTP GET request to vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.6.16
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3206717/wedevs-project-manager/tags/2.6.16/src/Task_List/Controllers/Task_List_Controller.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'WP Project Manager' and click 'Update Now'. 4. Verify version shows 2.6.16 or higher.
🔧 Temporary Workarounds
Disable REST API endpoint
allRemove or restrict access to the vulnerable '/wp-json/pm/v2/projects/*/task-lists' endpoint
Add to theme functions.php or custom plugin: add_filter('rest_endpoints', function($endpoints){ unset($endpoints['/wp-json/pm/v2/projects/(?P<id>[\d]+)/task-lists']); return $endpoints; });
Restrict user roles
allTemporarily limit Subscriber and Contributor role access until patch is applied
Use WordPress role management plugins or custom code to restrict access to project management features
🧯 If You Can't Patch
- Disable WP Project Manager plugin completely
- Implement strict network access controls to limit who can access WordPress REST API endpoints
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins for WP Project Manager version. If version is 2.6.15 or lower, system is vulnerable.Check Version:
wp plugin list --name='WP Project Manager' --field=versionVerify Fix Applied:
After updating, verify WP Project Manager shows version 2.6.16 or higher in WordPress admin plugins page.📡 Detection & Monitoring
Log Indicators:
- Multiple GET requests to '/wp-json/pm/v2/projects/*/task-lists' from single user
- Unusual access patterns to project management REST endpoints
Network Indicators:
- HTTP 200 responses containing password hash data in REST API responses
- Increased traffic to WordPress REST API from unauthorized IPs
SIEM Query:
source="wordpress.log" AND uri_path="/wp-json/pm/v2/projects/*/task-lists" AND response_code=200