The vulnerability identified as CVE-2024-13752 affects the WP Project Manager plugin for WordPress, which provides task, team, and project management features including kanban boards and gantt charts. The root cause is a missing authorization check (CWE-862) in the REST API endpoint '/pm/v2/settings/notice'. This endpoint fails to verify whether the authenticated user has the necessary permissions to perform certain actions, allowing users with minimal privileges (Subscriber-level or above) to exploit this flaw. The consequence is a persistent denial of service condition, where an attacker can disrupt the availability of the plugin's functionality, potentially impacting project management workflows. The CVSS v3.1 score is 6.5 (medium), reflecting that the vulnerability is remotely exploitable over the network with low attack complexity and no user interaction required, but limited to authenticated users with at least subscriber privileges. There is no impact on confidentiality or integrity, only availability. The vulnerability affects all versions up to and including 2.6.17 of the plugin. No public exploits have been reported yet, but the vulnerability is published and known. The lack of a patch link indicates that a fix may not yet be available, increasing the urgency for interim mitigations. The vulnerability is assigned by Wordfence and was published in February 2025.

This vulnerability primarily impacts the availability of the WP Project Manager plugin on affected WordPress sites. An attacker with subscriber-level access can cause persistent denial of service, potentially disrupting project management operations, delaying task tracking, and impairing team collaboration. For organizations relying heavily on this plugin for critical workflows, such disruptions could lead to operational inefficiencies and project delays. Although the vulnerability does not expose sensitive data or allow data modification, the loss of service availability can indirectly affect business continuity and productivity. Since the attack requires only low-privilege authenticated access, any compromised or malicious user account could be leveraged to exploit this flaw. The scope includes all WordPress sites using the vulnerable plugin version, which could be widespread given the popularity of WordPress and project management plugins. The absence of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as attackers may develop exploits once the vulnerability is publicly known.

1. Immediately restrict access to the '/pm/v2/settings/notice' REST API endpoint by implementing custom access controls or firewall rules at the web server or application level to block unauthorized or subscriber-level users from invoking it. 2. Review and tighten user role permissions within WordPress to minimize the number of users with subscriber-level or higher access, especially on sites with many users. 3. Monitor logs for unusual or repeated access attempts to the vulnerable endpoint to detect potential exploitation attempts early. 4. Disable or deactivate the WP Project Manager plugin temporarily if the project management functionality is non-critical until an official patch is released. 5. Stay updated with the plugin vendor’s announcements and apply security patches promptly once available. 6. Consider implementing a Web Application Firewall (WAF) with custom rules to detect and block exploitation attempts targeting this endpoint. 7. Educate site administrators about the risk and encourage strong authentication practices to reduce the likelihood of compromised accounts. 8. Conduct regular security audits of installed plugins and their permissions to identify and mitigate similar risks proactively.