Project Manager <= 3.0.1 - Authenticated (Subscriber+) Information Exposure
Description
The Project Manager – AI-Powered Project & Task Manager with Kanban Board & Gantt Chart plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive user or configuration data.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=3.0.1Source Code
WordPress.org SVNThis research plan outlines the methodology for exploiting **CVE-2025-68040**, an Information Exposure vulnerability in the **Project Manager (wedevs-project-manager)** plugin for WordPress. ## 1. Vulnerability Summary The "Project Manager – AI Powered" plugin (versions <= 3.0.1) fails to implement…
Show full research plan
This research plan outlines the methodology for exploiting CVE-2025-68040, an Information Exposure vulnerability in the Project Manager (wedevs-project-manager) plugin for WordPress.
1. Vulnerability Summary
The "Project Manager – AI Powered" plugin (versions <= 3.0.1) fails to implement adequate authorization checks on its REST API endpoints. Specifically, several endpoints intended for administrators or project managers are accessible to any authenticated user, including those with the Subscriber role. This allows attackers to extract sensitive system configurations (including AI API keys) and user metadata that should be restricted.
2. Attack Vector Analysis
- Endpoint: WordPress REST API namespace
pm/v2. - Vulnerable Routes (Inferred):
/wp-json/pm/v2/settings(Exposure of configuration/AI keys)/wp-json/pm/v2/users(Exposure of user list and metadata)
- Authentication: Authenticated (Subscriber level or higher).
- Parameter:
X-WP-Nonceheader is required for REST API access. - Preconditions: The plugin must be active. The attacker needs valid Subscriber credentials.
3. Code Flow
- Entry Point: The plugin registers its REST API routes during the
rest_api_inithook, typically within a controller registration class (e.g.,src/REST_API/Router.phporincludes/REST/Router.php). - Route Registration: The routes are registered using
register_rest_route('pm/v2', ...). - Vulnerable Callback: The
permission_callbackfor sensitive routes likely usesis_user_logged_in()or a weak check that does not verify specific capabilities likemanage_optionsorpm_manager. - Data Retrieval: The
get_itemorget_itemsmethod of the controller (e.g.,Settings_ControllerorUser_Controller) fetches data from thewp_optionstable orwp_userstable and returns it in the JSON response without filtering sensitive fields.
4. Nonce Acquisition Strategy
WordPress REST API requires a nonce for authenticated requests. Since we are targeting an authenticated (Subscriber) vulnerability, we can obtain this nonce from the WordPress admin dashboard.
- Log in as the Subscriber user.
- Navigate to
/wp-admin/profile.php. - Execute JavaScript to extract the nonce provided by the WordPress core for the REST API.
Execution Command:
// Use browser_eval to get the nonce
browser_eval("window.wpApiSettings?.nonce")
The variable wpApiSettings is localized by WordPress core on most admin pages for logged-in users. The key is nonce.
5. Exploitation Strategy
We will attempt to extract sensitive configuration data and the full user list.
Step 1: Extract Configuration (AI Keys/Settings)
Request:
- Method:
GET - URL:
/wp-json/pm/v2/settings - Headers:
X-WP-Nonce:[EXTRACTED_NONCE]Content-Type:application/json
Step 2: Extract User Data
Request:
- Method:
GET - URL:
/wp-json/pm/v2/users - Headers:
X-WP-Nonce:[EXTRACTED_NONCE]Content-Type:application/json
6. Test Data Setup
- Install Plugin: Ensure
wedevs-project-managerversion 3.0.1 is installed. - Create User: Create a Subscriber user named
attacker_sub. - Add Sensitive Data:
- Navigate to Project Manager Settings (as Admin).
- If there are AI settings or OpenAI API key fields, populate them with a dummy string (e.g.,
sk-proj-VULNERABILITY-TEST-12345).
- Create Dummy Projects/Users: Ensure there are multiple users in the system to verify the user list exposure.
7. Expected Results
- Settings Exposure: The response to
/pm/v2/settingsshould return a JSON object containing plugin configurations. Success is confirmed if sensitive keys (likeopenai_keyor internal pathing) are visible in the JSON. - User Exposure: The response to
/pm/v2/usersshould return an array of user objects. Success is confirmed if it returns data for users other than the currently logged-in Subscriber, specifically including email addresses or roles.
8. Verification Steps
- Compare Output: Run a WP-CLI command to check the actual option value in the database and compare it to the REST API output.
wp option get pm_settings --format=json - Check Capability: Verify that the Subscriber user should not have access to these settings via the UI.
wp user cap list attacker_sub # Verify 'manage_options' is NOT present.
9. Alternative Approaches
If the pm/v2/settings endpoint is restricted, try these alternatives:
- Endpoint:
/wp-json/pm/v2/projects— To see if project details/internal comments are exposed to Subscribers who aren't assigned to those projects. - Endpoint:
/wp-json/pm/v2/activities— To leak system-wide activity logs. - Parameter Fuzzing: If
/pm/v2/settingsreturns an empty object, tryGET /wp-json/pm/v2/settings?type=allor similar query parameters inferred from the plugin's JS source (look forsrc/assets/js/in the plugin folder).
Summary
The Project Manager plugin for WordPress (<= 3.0.1) exposes sensitive configuration and user data via its REST API because it lacks sufficient authorization checks. Authenticated attackers with Subscriber-level privileges can access endpoints like /pm/v2/settings to retrieve AI API keys and other system-level configurations.
Security Fix
@@ -10,7 +10,7 @@ 'methods' => 'GET', 'callback' => [ $this, 'get_items' ], 'permission_callback' => function() { - return is_user_logged_in(); + return current_user_can( 'manage_options' ); } ]); @@ -10,7 +10,7 @@ 'methods' => 'GET', 'callback' => [ $this, 'get_items' ], 'permission_callback' => function() { - return is_user_logged_in(); + return current_user_can( 'manage_options' ); } ]);
Exploit Outline
The exploit targets the plugin's custom REST API namespace `pm/v2`. An attacker requires valid credentials for any authenticated role, such as a Subscriber. 1. Log in to the WordPress site as a Subscriber-level user. 2. Retrieve the REST API nonce (typically available in the browser via `window.wpApiSettings.nonce` on admin pages like `/wp-admin/profile.php`). 3. Send a GET request to the vulnerable endpoint `/wp-json/pm/v2/settings` including the `X-WP-Nonce` header. 4. The response contains a JSON object with sensitive configuration data, including potential OpenAI or other AI API keys. 5. Similarly, a GET request to `/wp-json/pm/v2/users` can be used to leak detailed user metadata, including emails and roles of all users on the site.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.