CVE-2024-12195: 
WordPress vulnerability analysis and mitigation

The WP Project Manager plugin for WordPress (versions up to 2.6.16) contains a SQL Injection vulnerability identified as CVE-2024-12195. The vulnerability exists in the 'project_id' parameter of the /wp-json/pm/v2/projects/2/task-lists REST API endpoint due to insufficient parameter escaping and inadequate SQL query preparation. The vulnerability was discovered by researcher Trương Hữu Phúc and was publicly disclosed on January 4, 2025 (NVD CVE).

The vulnerability is classified as a SQL Injection (CWE-89) with a CVSS v3.1 base score of 6.5 (Medium). The attack vector is network-accessible (AV:N) with low attack complexity (AC:L), requiring low privileges (PR:L) and no user interaction (UI:N). The scope is unchanged (S:U) with high confidentiality impact (C:H) but no impact on integrity (I:N) or availability (A:N) (NVD CVE).

When exploited, this vulnerability allows authenticated attackers with project access to append additional SQL queries to existing ones, potentially leading to the extraction of sensitive information from the database (NVD CVE).

Users are advised to update to version 2.6.17 or later of the WP Project Manager plugin, which contains the fix for this vulnerability. A patch has been made available through the WordPress plugin repository (WordPress Patch).