CVE-2025-3100

Medium CVSS: 6.4

The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.6.22 due to insufficient input sanitization and output escaping in tasks discussion. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.

Vendor

Wedevs

Product

Wp Project Manager

CWE

CWE-79

Yayın Tarihi

2025-04-09 05:15:43

Güncelleme

2025-07-14 17:27:25

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-79 Wp Project Manager MEDIUM Wedevs 2025

Referanslar

https://plugins.trac.wordpress.org/browser/wedevs-project-manager/trunk/src/File/Helper/File.php#L56 https://plugins.trac.wordpress.org/changeset/3268509/wedevs-project-manager/trunk/bootstrap/loaders.php https://www.wordfence.com/threat-intel/vulnerabilities/id/4d62b087-b0ca-4fa8-921b-5eeb3fa76596?source=cve

Benzer Kayıtlar

Medium

CVE-2024-12808

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before…

High

CVE-2024-12812

The WP ERP | Complete HR solution with recruitment & job listings | WooCommerce CRM & Accounting WordPress plugin before…

High

CVE-2025-47540

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in weDevs weMail wemail allows…

Medium

CVE-2025-2541

The WP Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all ver…

High

CVE-2025-32280

Cross-Site Request Forgery (CSRF) vulnerability in weDevs WP Project Manager wedevs-project-manager allows Cross Site Re…

Medium

CVE-2025-22649

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in weDevs WP Project…