Login Sign Up

CVE-2025-32280

4.3 MEDIUM
CSRF

📋 TL;DR

A Cross-Site Request Forgery (CSRF) vulnerability in weDevs WP Project Manager allows attackers to trick authenticated administrators into performing unintended actions. This affects WordPress sites running WP Project Manager plugin versions up to 2.6.22. The vulnerability could lead to unauthorized project management actions.

💻 Affected Systems

Products:
  • weDevs WP Project Manager WordPress plugin
Versions: n/a through 2.6.22
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Requires WordPress installation with WP Project Manager plugin enabled and an authenticated administrator session.

📦 What is this software?

Wp Project Manager by Wedevs

View all CVEs affecting Wp Project Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

An attacker could trick an administrator into deleting projects, modifying user permissions, or altering project data, potentially disrupting business operations.

🟠

Likely Case

Attackers could manipulate project settings, add/remove team members, or modify project timelines without proper authorization.

🟢

If Mitigated

With proper CSRF protections and user awareness, the risk is limited to accidental actions by authenticated users.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires social engineering to trick authenticated users into clicking malicious links.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.6.23 or later

Vendor Advisory: https://patchstack.com/database/wordpress/plugin/wedevs-project-manager/vulnerability/wordpress-wp-project-manager-plugin-2-6-22-cross-site-request-forgery-csrf-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WP Project Manager' and click 'Update Now'. 4. Verify update to version 2.6.23 or higher.

🔧 Temporary Workarounds

Implement CSRF Tokens Manually

all

Add custom CSRF protection to plugin forms if immediate patching isn't possible

Use WordPress Security Plugins

all

Install security plugins that provide additional CSRF protection

🧯 If You Can't Patch

  • Restrict plugin access to trusted administrators only
  • Implement web application firewall with CSRF protection rules

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for WP Project Manager version

Check Version:

wp plugin list --name='WP Project Manager' --field=version

Verify Fix Applied:

Verify WP Project Manager version is 2.6.23 or higher in WordPress admin

📡 Detection & Monitoring

Log Indicators:

  • Unexpected project modifications by administrators
  • Multiple failed CSRF token validations

Network Indicators:

  • POST requests to WP Project Manager endpoints without proper referrer headers

SIEM Query:

source="wordpress.log" AND "wp-project-manager" AND ("action=delete" OR "action=modify")

📊 Metadata

CVE ID: CVE-2025-32280
CVSS v3 Score: 4.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-352
EPSS Score: 0.09% exploit probability (25th percentile)
Published: April 4, 2025
Last Updated: April 9, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-32280, you might also want to check these:

CVE-2025-23922 10.0

A Cross-Site Request Forgery (CSRF) vulnerability in the Harsh iSpring Embedder WordPress plugin all...

Same vulnerability type (CWE-352)
CVE-2020-23426 9.8

CVE-2020-23426 is a privilege escalation vulnerability in zzcms 201910 that allows attackers to gain...

Same vulnerability type (CWE-352)
CVE-2024-33449 9.8

This SSRF vulnerability in PDFMyURL allows attackers to make the service send requests to internal s...

Same vulnerability type (CWE-352)