CVE-2024-10548: 
WordPress vulnerability analysis and mitigation

The WP Project Manager plugin for WordPress contains a Sensitive Information Exposure vulnerability (CVE-2024-10548) affecting all versions up to and including 2.6.15. The vulnerability was discovered and disclosed on December 18, 2024, impacting the Project Task List REST API endpoint ('/wp-json/pm/v2/projects/1/task-lists'). This security flaw affects installations of the WP Project Manager WordPress plugin (Wordfence Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 6.5 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N. The security flaw exists in the Project Task List REST API endpoint, which allows authenticated users with Subscriber-level access or higher to extract sensitive information. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (NVD).

The vulnerability allows authenticated attackers with Subscriber-level access or higher to extract sensitive data, including the hashed passwords of project owners such as administrators. This exposure of sensitive information could potentially lead to unauthorized access to administrative accounts (NVD).

Users are advised to update to version 2.6.16 or later of the WP Project Manager plugin, which contains a patch for this vulnerability. The fix can be found in the Task List Controller implementation (WordPress Patch).