CVE-2025-2541

Medium CVSS: 6.4

The WP Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.6.22 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Vendor

Wedevs

Product

Wp Project Manager

CWE

CWE-79

Yayın Tarihi

2025-04-11 12:15:15

Güncelleme

2025-05-06 14:09:58

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-79 Wp Project Manager MEDIUM Wedevs 2025

Referanslar

https://plugins.trac.wordpress.org/browser/wedevs-project-manager/tags/2.6.20/core/WP/Frontend.php#L209 https://plugins.trac.wordpress.org/changeset/3268509/ https://wordpress.org/plugins/wedevs-project-manager/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/dcc68b62-7dd1-47d4-bbc5-d0237b7c85e7?source=cve

Benzer Kayıtlar

Medium

CVE-2024-12808

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before…

High

CVE-2024-12812

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before…

High

CVE-2025-47540

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs weMail wemail allows…

Medium

CVE-2025-3100

The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for Wo…

High

CVE-2025-32280

Cross-Site Request Forgery (CSRF) vulnerability in weDevs WP Project Manager wedevs-project-manager allows Cross Site Re…

Medium

CVE-2025-22649

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weDevs WP Project…