CVE-2024-13500 is a time-based SQL Injection vulnerability categorized under CWE-89, found in the WP Project Manager plugin for WordPress, which provides task, team, and project management features including kanban boards and Gantt charts. The vulnerability exists in the handling of the 'orderby' parameter, which is insufficiently escaped and improperly prepared in SQL queries. This flaw allows authenticated users with Subscriber-level access or higher to append malicious SQL code to existing queries. Exploitation does not require user interaction and can lead to unauthorized extraction of sensitive information from the database. The vulnerability affects all plugin versions up to and including 2.6.17. The CVSS v3.1 score is 6.5, reflecting a medium severity with network attack vector, low attack complexity, and requiring privileges but no user interaction. No patches or known exploits are currently documented. The vulnerability primarily impacts confidentiality, with no direct effect on integrity or availability. The flaw stems from inadequate input validation and lack of parameterized queries or prepared statements in the plugin's codebase.

The primary impact of CVE-2024-13500 is unauthorized disclosure of sensitive data stored in the WordPress database, which may include user information, project details, and other confidential content managed by the WP Project Manager plugin. Since exploitation requires only Subscriber-level access, attackers can leverage compromised or low-privilege accounts to escalate data exposure risks. Although the vulnerability does not affect data integrity or availability, the breach of confidentiality can lead to privacy violations, compliance issues, and reputational damage. Organizations relying on this plugin for project management may face operational risks if sensitive project data is leaked. The medium severity indicates a moderate but significant threat, especially in environments with many users or sensitive data. The absence of known exploits suggests a window for proactive mitigation before widespread attacks occur.

To mitigate CVE-2024-13500, organizations should immediately update the WP Project Manager plugin to a version where this vulnerability is fixed once available. Until a patch is released, implement strict input validation and sanitization on the 'orderby' parameter at the web application firewall (WAF) or reverse proxy level to block malicious SQL payloads. Restrict user privileges by minimizing the number of users with Subscriber-level or higher access, and audit existing accounts for suspicious activity. Employ database activity monitoring to detect unusual query patterns indicative of SQL injection attempts. Consider disabling or limiting the use of the vulnerable plugin if feasible. Developers should refactor the plugin code to use parameterized queries or prepared statements to prevent SQL injection. Regularly review and update security controls around WordPress installations, including timely plugin updates and security hardening.