CVE-2024-13752 MEDIUM

CVE-2024-13752: WP Project Manager <= 2.6.17 - Missing Authorization to Authenticated (Subscriber+) Limited Arbitrary Options Update

Vendor Wedevs
Product Project Manager – AI Powered Project Management, Task Management, Kanban Board & Time Tracker
Weakness CWE-862 · Missing authorization
Published February 15, 2025
Last update April 8, 2026
View on NVD All CVEs

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

01Description

The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check in the '/pm/v2/settings/notice' endpoint all versions up to, and including, 2.6.17. This makes it possible for authenticated attackers, with Subscriber-level access and above, to cause a persistent denial of service condition.

Key dates

02Disclosure timeline

February 15, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2026-32451 WordPress Fusion Builder plugin < 3.15.0 - Broken Access Control vulnerability CVE-2024-43158 WordPress Masteriyo LMS plugin <= 1.11.4 - Broken Access Control vulnerability CVE-2025-13496 Moosend Landing Pages <= 1.1.6 - Missing Authorization to Authenticated (Subscriber+) Option Deletion CVE-2023-39312 WordPress Avada theme <= 7.11.1 - Auth. Unrestricted Zip Extraction vulnerability CVE-2023-41132 WordPress Category Slider for WooCommerce plugin <= 1.4.15 - Broken Access Control vulnerability