CVE-2024-13500: 
WordPress vulnerability analysis and mitigation

The WP Project Manager plugin for WordPress (versions <= 2.6.17) contains a time-based SQL injection vulnerability that was discovered in February 2025. This vulnerability affects the task, team, and project management functionality featuring kanban board and gantt charts. The issue was assigned CVE-2024-13500 with a CVSS score of 6.5, indicating a moderate severity level (Wordfence Threat).

The vulnerability is characterized as a time-based SQL injection that affects authenticated users with Subscriber level permissions or higher. The issue was identified by security researcher Krzysztof Zając and received a CVSS v3.1 score of 6.5 with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (Wordfence Research).

The vulnerability could allow authenticated attackers to execute SQL injection attacks, potentially leading to unauthorized access to sensitive information stored in the WordPress database. The CVSS scoring indicates that while the vulnerability has high confidentiality impact, it does not affect integrity or availability of the system (NVD Database).

The vulnerability was addressed in version 2.6.18 of the WP Project Manager plugin, released on February 12, 2025. Users are strongly advised to update to this version or later to protect against potential exploitation. The update includes fixes for the SQL injection vulnerability along with other security improvements (WordPress Plugin).