CVE-2025-68040 MEDIUM

CVE-2025-68040: WordPress WP Project Manager plugin <= 3.0.1 - Sensitive Data Exposure vulnerability

Vendor Wedevs
Product WP Project Manager
Weakness CWE-201
Published December 29, 2025
Last update April 28, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Insertion of Sensitive Information Into Sent Data vulnerability in weDevs WP Project Manager wedevs-project-manager allows Retrieve Embedded Sensitive Data.This issue affects WP Project Manager: from n/a through <= 3.0.1.

Explanation of Vulnerability in Simple Terms

02Summary

WP Project Manager versions 3.0.1 and earlier contain an information disclosure vulnerability. An attacker with low-level site access can read sensitive data they should not have permission to view. The vulnerability requires valid user credentials but no additional user interaction. Update to a version newer than 3.0.1 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Read sensitive data from the plugin that should be restricted to higher-privilege users.

Potential impact on your site

04Site Impact

User data, project details, or other confidential information may be exposed to low-privilege site members.

Conditions required to exploit

05Prerequisites

Valid WordPress user account with low-level permissions (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

December 29, 2025 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE