CVE-2025-8994: 
WordPress 脆弱性の分析と軽減

The WP Project Manager plugin for WordPress (versions up to 2.6.26) contains a time-based SQL Injection vulnerability (CVE-2025-8994) discovered in November 2025. The vulnerability exists in the 'completedatoperator' parameter due to insufficient escaping of user input and inadequate SQL query preparation. This security flaw affects the Project Management, Team Collaboration, Kanban Board, Gantt Charts, and Task Manager functionalities of the plugin (NVD).

The vulnerability is classified as a SQL Injection (CWE-89) with a CVSS v3.1 Base Score of 6.5 (MEDIUM). The attack vector requires network access (N) with low attack complexity (L) and low privileges (PR). The scope is unchanged (U) with high confidentiality impact (H) but no impact on integrity (N) or availability (N). The vulnerability allows authenticated attackers with Subscriber-level access or higher to append additional SQL queries to existing ones (NVD, Wordfence).

The vulnerability enables authenticated attackers to extract sensitive information from the database by injecting malicious SQL queries. This could potentially lead to unauthorized access to private project data, user information, and other confidential content stored within the WP Project Manager plugin's database (NVD).

A fix has been released in version 2.6.27 of the WP Project Manager plugin, which includes improved sanitization to prevent SQL Injection. Users are advised to update to this latest version immediately (WordPress Changeset).