CVE-2024-10520: 
WordPress vulnerability analysis and mitigation

The WP Project Manager plugin for WordPress (version 2.6.14) contains a vulnerability identified as CVE-2024-10520, discovered and reported by Noah Stead. The vulnerability stems from missing authorization checks in several core classes, including 'Create_Milestone', 'Create_Task_List', 'Create_Task', and 'Delete_Task'. This security issue was publicly disclosed on November 19, 2024, and received a CVSS v3.1 score of 5.3 (Medium) (NVD, Wordfence).

The vulnerability is classified as CWE-862 (Missing Authorization) and affects the 'check' method in multiple classes of the WP Project Manager plugin. The security flaw exists due to insufficient capability checks in the plugin's core functionality related to project management tasks. The vulnerability received a CVSS v3.1 Base Score of 5.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N (NVD).

The vulnerability allows unauthenticated attackers to perform unauthorized actions within any project, including creating milestones, creating task lists, creating tasks, and deleting tasks. This can lead to unauthorized modification of project data and potential disruption of project management workflows (NVD).

A partial fix was implemented in version 2.6.14 of the plugin. Users are advised to update to version 2.6.15 or later which contains the complete fix for this vulnerability (NVD).