CVE-2024-12195: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in wedevs WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
CVE-2024-12195 is a medium-severity SQL Injection vulnerability in the WP Project Manager WordPress plugin (up to version 2. 6. 16). It affects the 'project_id' parameter of the /wp-json/pm/v2/projects/2/task-lists REST API endpoint. Authenticated users with project access can exploit this flaw to inject malicious SQL code, potentially extracting sensitive database information. The vulnerability arises from insufficient escaping and lack of prepared statements in the plugin's SQL queries. Exploitation does not require user interaction but does require authentication with project access. No known exploits are currently reported in the wild. Organizations using this plugin should prioritize patching or applying mitigations to prevent data leakage. The vulnerability primarily impacts WordPress sites using this plugin, which are most common in countries with high WordPress adoption and active project management plugin usage.
AI Analysis
Technical Summary
CVE-2024-12195 is an SQL Injection vulnerability identified in the WP Project Manager plugin for WordPress, which provides task, team, and project management features including kanban boards and Gantt charts. The vulnerability exists in all versions up to and including 2.6.16 and is triggered via the 'project_id' parameter in the REST API endpoint /wp-json/pm/v2/projects/2/task-lists. The root cause is improper neutralization of special elements in SQL commands (CWE-89), specifically due to insufficient escaping of user-supplied input and the absence of prepared statements or parameterized queries. This flaw allows an authenticated attacker, who has access to a project, to append arbitrary SQL queries to the existing query. Consequently, the attacker can extract sensitive information from the underlying database, compromising confidentiality. The CVSS v3.1 base score is 6.5 (medium), reflecting network attack vector, low attack complexity, required privileges (authenticated with project access), no user interaction, and high impact on confidentiality but no impact on integrity or availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to organizations relying on this plugin for project management within WordPress environments.
Potential Impact
The primary impact of this vulnerability is the unauthorized disclosure of sensitive data stored in the WordPress database, which may include project details, user information, and other confidential content managed via the WP Project Manager plugin. Since the attack requires authentication with project access, the threat is limited to insiders or compromised accounts with legitimate project permissions. However, once exploited, attackers can perform data exfiltration, potentially leading to information leakage, privacy violations, and compliance issues. The integrity and availability of the system are not directly affected, but the confidentiality breach can damage organizational trust and lead to further targeted attacks. Organizations using this plugin in environments with sensitive project data are at risk, especially if they have weak access controls or compromised user credentials.
Mitigation Recommendations
Organizations should immediately update the WP Project Manager plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, administrators should restrict project access strictly to trusted users and monitor access logs for suspicious activity. Implementing Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the 'project_id' parameter can provide temporary protection. Additionally, enforcing strong authentication and regularly auditing user permissions can reduce the risk of exploitation. Developers and site administrators should review custom code interacting with this plugin to ensure proper input validation and use of parameterized queries. Regular backups and monitoring for unusual database queries can help detect and recover from potential exploitation.
Affected Countries
United States, Germany, United Kingdom, Canada, Australia, France, Netherlands, India, Brazil, Japan
CVE-2024-12195: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in wedevs WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
Description
CVE-2024-12195 is a medium-severity SQL Injection vulnerability in the WP Project Manager WordPress plugin (up to version 2. 6. 16). It affects the 'project_id' parameter of the /wp-json/pm/v2/projects/2/task-lists REST API endpoint. Authenticated users with project access can exploit this flaw to inject malicious SQL code, potentially extracting sensitive database information. The vulnerability arises from insufficient escaping and lack of prepared statements in the plugin's SQL queries. Exploitation does not require user interaction but does require authentication with project access. No known exploits are currently reported in the wild. Organizations using this plugin should prioritize patching or applying mitigations to prevent data leakage. The vulnerability primarily impacts WordPress sites using this plugin, which are most common in countries with high WordPress adoption and active project management plugin usage.
AI-Powered Analysis
Technical Analysis
CVE-2024-12195 is an SQL Injection vulnerability identified in the WP Project Manager plugin for WordPress, which provides task, team, and project management features including kanban boards and Gantt charts. The vulnerability exists in all versions up to and including 2.6.16 and is triggered via the 'project_id' parameter in the REST API endpoint /wp-json/pm/v2/projects/2/task-lists. The root cause is improper neutralization of special elements in SQL commands (CWE-89), specifically due to insufficient escaping of user-supplied input and the absence of prepared statements or parameterized queries. This flaw allows an authenticated attacker, who has access to a project, to append arbitrary SQL queries to the existing query. Consequently, the attacker can extract sensitive information from the underlying database, compromising confidentiality. The CVSS v3.1 base score is 6.5 (medium), reflecting network attack vector, low attack complexity, required privileges (authenticated with project access), no user interaction, and high impact on confidentiality but no impact on integrity or availability. No public exploits have been reported yet, but the vulnerability poses a significant risk to organizations relying on this plugin for project management within WordPress environments.
Potential Impact
The primary impact of this vulnerability is the unauthorized disclosure of sensitive data stored in the WordPress database, which may include project details, user information, and other confidential content managed via the WP Project Manager plugin. Since the attack requires authentication with project access, the threat is limited to insiders or compromised accounts with legitimate project permissions. However, once exploited, attackers can perform data exfiltration, potentially leading to information leakage, privacy violations, and compliance issues. The integrity and availability of the system are not directly affected, but the confidentiality breach can damage organizational trust and lead to further targeted attacks. Organizations using this plugin in environments with sensitive project data are at risk, especially if they have weak access controls or compromised user credentials.
Mitigation Recommendations
Organizations should immediately update the WP Project Manager plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, administrators should restrict project access strictly to trusted users and monitor access logs for suspicious activity. Implementing Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the 'project_id' parameter can provide temporary protection. Additionally, enforcing strong authentication and regularly auditing user permissions can reduce the risk of exploitation. Developers and site administrators should review custom code interacting with this plugin to ensure proper input validation and use of parameterized queries. Regular backups and monitoring for unusual database queries can help detect and recover from potential exploitation.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-12-04T17:04:14.090Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e31b7ef31ef0b597832
Added to database: 2/25/2026, 9:48:33 PM
Last enriched: 2/26/2026, 6:13:05 AM
Last updated: 2/26/2026, 11:00:07 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-64999: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Checkmk GmbH Checkmk
HighCVE-2026-28138: Deserialization of Untrusted Data in Stylemix uListing
HighCVE-2026-28136: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in VeronaLabs WP SMS
HighCVE-2026-28132: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in villatheme WooCommerce Photo Reviews
HighCVE-2026-28131: Insertion of Sensitive Information Into Sent Data in WPVibes Elementor Addon Elements
HighActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.