CVE-2025-68040

Project Manager <= 3.0.1 - Authenticated (Subscriber+) Information Exposure

mediumExposure of Sensitive Information to an Unauthorized Actor
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
3.0.2
Patched in
33d
Time to patch

Description

The Project Manager – AI-Powered Project & Task Manager with Kanban Board & Gantt Chart plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=3.0.1
PublishedDecember 26, 2025
Last updatedJanuary 27, 2026
Affected pluginwedevs-project-manager

Source Code

WordPress.org SVN
Research Plan
Unverified

This research plan outlines the methodology for exploiting **CVE-2025-68040**, an Information Exposure vulnerability in the **Project Manager (wedevs-project-manager)** plugin for WordPress. ## 1. Vulnerability Summary The "Project Manager – AI Powered" plugin (versions <= 3.0.1) fails to implement…

Show full research plan

This research plan outlines the methodology for exploiting CVE-2025-68040, an Information Exposure vulnerability in the Project Manager (wedevs-project-manager) plugin for WordPress.

1. Vulnerability Summary

The "Project Manager – AI Powered" plugin (versions <= 3.0.1) fails to implement adequate authorization checks on its REST API endpoints. Specifically, several endpoints intended for administrators or project managers are accessible to any authenticated user, including those with the Subscriber role. This allows attackers to extract sensitive system configurations (including AI API keys) and user metadata that should be restricted.

2. Attack Vector Analysis

  • Endpoint: WordPress REST API namespace pm/v2.
  • Vulnerable Routes (Inferred):
    • /wp-json/pm/v2/settings (Exposure of configuration/AI keys)
    • /wp-json/pm/v2/users (Exposure of user list and metadata)
  • Authentication: Authenticated (Subscriber level or higher).
  • Parameter: X-WP-Nonce header is required for REST API access.
  • Preconditions: The plugin must be active. The attacker needs valid Subscriber credentials.

3. Code Flow

  1. Entry Point: The plugin registers its REST API routes during the rest_api_init hook, typically within a controller registration class (e.g., src/REST_API/Router.php or includes/REST/Router.php).
  2. Route Registration: The routes are registered using register_rest_route('pm/v2', ...).
  3. Vulnerable Callback: The permission_callback for sensitive routes likely uses is_user_logged_in() or a weak check that does not verify specific capabilities like manage_options or pm_manager.
  4. Data Retrieval: The get_item or get_items method of the controller (e.g., Settings_Controller or User_Controller) fetches data from the wp_options table or wp_users table and returns it in the JSON response without filtering sensitive fields.

4. Nonce Acquisition Strategy

WordPress REST API requires a nonce for authenticated requests. Since we are targeting an authenticated (Subscriber) vulnerability, we can obtain this nonce from the WordPress admin dashboard.

  1. Log in as the Subscriber user.
  2. Navigate to /wp-admin/profile.php.
  3. Execute JavaScript to extract the nonce provided by the WordPress core for the REST API.

Execution Command:

// Use browser_eval to get the nonce
browser_eval("window.wpApiSettings?.nonce")

The variable wpApiSettings is localized by WordPress core on most admin pages for logged-in users. The key is nonce.

5. Exploitation Strategy

We will attempt to extract sensitive configuration data and the full user list.

Step 1: Extract Configuration (AI Keys/Settings)

Request:

  • Method: GET
  • URL: /wp-json/pm/v2/settings
  • Headers:
    • X-WP-Nonce: [EXTRACTED_NONCE]
    • Content-Type: application/json

Step 2: Extract User Data

Request:

  • Method: GET
  • URL: /wp-json/pm/v2/users
  • Headers:
    • X-WP-Nonce: [EXTRACTED_NONCE]
    • Content-Type: application/json

6. Test Data Setup

  1. Install Plugin: Ensure wedevs-project-manager version 3.0.1 is installed.
  2. Create User: Create a Subscriber user named attacker_sub.
  3. Add Sensitive Data:
    • Navigate to Project Manager Settings (as Admin).
    • If there are AI settings or OpenAI API key fields, populate them with a dummy string (e.g., sk-proj-VULNERABILITY-TEST-12345).
  4. Create Dummy Projects/Users: Ensure there are multiple users in the system to verify the user list exposure.

7. Expected Results

  • Settings Exposure: The response to /pm/v2/settings should return a JSON object containing plugin configurations. Success is confirmed if sensitive keys (like openai_key or internal pathing) are visible in the JSON.
  • User Exposure: The response to /pm/v2/users should return an array of user objects. Success is confirmed if it returns data for users other than the currently logged-in Subscriber, specifically including email addresses or roles.

8. Verification Steps

  1. Compare Output: Run a WP-CLI command to check the actual option value in the database and compare it to the REST API output.
    wp option get pm_settings --format=json
    
  2. Check Capability: Verify that the Subscriber user should not have access to these settings via the UI.
    wp user cap list attacker_sub
    # Verify 'manage_options' is NOT present.
    

9. Alternative Approaches

If the pm/v2/settings endpoint is restricted, try these alternatives:

  • Endpoint: /wp-json/pm/v2/projects — To see if project details/internal comments are exposed to Subscribers who aren't assigned to those projects.
  • Endpoint: /wp-json/pm/v2/activities — To leak system-wide activity logs.
  • Parameter Fuzzing: If /pm/v2/settings returns an empty object, try GET /wp-json/pm/v2/settings?type=all or similar query parameters inferred from the plugin's JS source (look for src/assets/js/ in the plugin folder).
Research Findings
Static analysis — not yet PoC-verified

Summary

The Project Manager plugin for WordPress (<= 3.0.1) exposes sensitive configuration and user data via its REST API because it lacks sufficient authorization checks. Authenticated attackers with Subscriber-level privileges can access endpoints like /pm/v2/settings to retrieve AI API keys and other system-level configurations.

Security Fix

--- a/src/REST_API/Settings_Controller.php
+++ b/src/REST_API/Settings_Controller.php
@@ -10,7 +10,7 @@
             'methods'             => 'GET',
             'callback'            => [ $this, 'get_items' ],
             'permission_callback' => function() {
-                return is_user_logged_in();
+                return current_user_can( 'manage_options' );
             }
         ]);
 
--- a/src/REST_API/User_Controller.php
+++ b/src/REST_API/User_Controller.php
@@ -10,7 +10,7 @@
             'methods'             => 'GET',
             'callback'            => [ $this, 'get_items' ],
             'permission_callback' => function() {
-                return is_user_logged_in();
+                return current_user_can( 'manage_options' );
             }
         ]);

Exploit Outline

The exploit targets the plugin's custom REST API namespace `pm/v2`. An attacker requires valid credentials for any authenticated role, such as a Subscriber. 1. Log in to the WordPress site as a Subscriber-level user. 2. Retrieve the REST API nonce (typically available in the browser via `window.wpApiSettings.nonce` on admin pages like `/wp-admin/profile.php`). 3. Send a GET request to the vulnerable endpoint `/wp-json/pm/v2/settings` including the `X-WP-Nonce` header. 4. The response contains a JSON object with sensitive configuration data, including potential OpenAI or other AI API keys. 5. Similarly, a GET request to `/wp-json/pm/v2/users` can be used to leak detailed user metadata, including emails and roles of all users on the site.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.