The WP Project Manager plugin, developed by wedevs, is widely used for project management, team collaboration, and task tracking within WordPress environments. CVE-2025-8994 identifies a time-based SQL Injection vulnerability in the 'completed_at_operator' parameter, present in all versions up to and including 2.6.26. This parameter is used in SQL queries without proper escaping or prepared statements, allowing attackers with at least Subscriber-level privileges to inject arbitrary SQL code. The vulnerability stems from improper neutralization of special elements in SQL commands (CWE-89). Exploitation involves appending additional SQL queries to the existing query, enabling attackers to extract sensitive information from the backend database. The attack vector is remote over the network, requiring authentication but no user interaction, and has a CVSS 3.1 base score of 6.5, reflecting medium severity. While no public exploits are currently known, the vulnerability poses a significant risk due to the widespread use of the plugin and the relatively low privilege required to exploit it. The flaw compromises confidentiality but does not affect data integrity or availability. The vulnerability was reserved in August 2025 and published in November 2025, with no patches currently linked, indicating that mitigation may require manual intervention or updates from the vendor.

This vulnerability allows attackers with minimal privileges (Subscriber-level) to perform SQL Injection attacks, potentially exposing sensitive data such as user credentials, project details, or other confidential information stored in the WordPress database. The confidentiality breach can lead to data leaks, privacy violations, and further exploitation such as privilege escalation or lateral movement within the affected environment. Since the vulnerability does not impact integrity or availability directly, attackers cannot modify or delete data or cause denial of service through this flaw alone. However, the exposure of sensitive data can have severe reputational and compliance consequences for organizations. Given the plugin's popularity among businesses using WordPress for project management, the risk extends to a broad range of sectors including technology, education, government, and enterprises relying on WordPress-based collaboration tools. The requirement for authentication limits the attack surface somewhat but does not eliminate risk, especially in environments with weak access controls or compromised user accounts.

Organizations should immediately verify the version of the WP Project Manager plugin installed and upgrade to a patched version once released by wedevs. Until an official patch is available, administrators should restrict Subscriber-level user permissions to the minimum necessary and monitor for suspicious database queries or unusual user activity. Implementing Web Application Firewalls (WAFs) with custom rules to detect and block SQL Injection patterns targeting the 'completed_at_operator' parameter can provide temporary protection. Additionally, applying principle of least privilege on database accounts used by WordPress can limit data exposure if exploitation occurs. Regularly auditing user roles and access rights, enforcing strong authentication mechanisms, and monitoring logs for anomalies are critical. Developers and site administrators should also consider employing parameterized queries or prepared statements in custom code to prevent similar injection flaws. Finally, maintaining up-to-date backups ensures recovery in case of compromise.