CVE-2024-10174 Overview
CVE-2024-10174 affects the WP Project Manager plugin for WordPress, a task, team, and project management plugin featuring kanban board and gantt charts. The vulnerability is an Insecure Direct Object Reference [CWE-639] in the Abstract_Permission class, caused by missing validation on the user-controlled user_id key. Unauthenticated attackers can spoof their identity as an administrator and access all of the plugin's REST routes. All versions up to and including 2.6.13 are affected.
Critical Impact
Unauthenticated attackers can impersonate administrators by supplying a chosen user_id value, granting full access to the plugin's REST API endpoints and the project data they expose.
Affected Products
- weDevs WP Project Manager plugin for WordPress
- All versions up to and including 2.6.13
- WordPress sites using the wedevs-project-manager plugin
Discovery Timeline
- 2024-11-13 - CVE-2024-10174 published to NVD
- 2025-02-05 - Last updated in NVD database
Technical Details for CVE-2024-10174
Vulnerability Analysis
The flaw resides in the Abstract_Permission class located at core/Permissions/Abstract_Permission.php. The class accepts a user_id parameter directly from the request without verifying that the value matches the authenticated session. Permission checks then resolve against the attacker-supplied identifier rather than the actual requester.
Because the plugin's REST routes rely on this class for access control, an attacker can supply the numeric ID of an administrator account and gain administrator-level access. The plugin exposes endpoints for projects, tasks, files, milestones, and user management, so the impact extends across the entire plugin surface.
The vulnerability is exploitable over the network without authentication or user interaction. Attackers only need to know or enumerate a valid administrator user_id value, which is often 1 on default WordPress installations.
Root Cause
The root cause is missing server-side validation of the user_id key supplied in REST API requests. The Abstract_Permission class trusts the client-supplied identifier instead of deriving the acting user from the authenticated WordPress session. This is a textbook Insecure Direct Object Reference pattern [CWE-639].
Attack Vector
An attacker sends crafted HTTP requests to the plugin's REST endpoints and includes a user_id parameter referencing an administrator account. The Abstract_Permission class loads permissions for that identifier and grants access. The attacker reads, modifies, or deletes project data and can pivot to other plugin-managed resources.
The vulnerability manifests in the permission resolution logic of Abstract_Permission.php. See the WordPress Plugin Code Review and the Wordfence Vulnerability Report for the annotated source.
Detection Methods for CVE-2024-10174
Indicators of Compromise
- Unauthenticated HTTP requests to /wp-json/pm/ REST routes that include a user_id parameter referencing privileged accounts.
- Unexpected project, task, or milestone changes in WP Project Manager audit logs from anonymous sources.
- Repeated REST API calls iterating sequential user_id values, indicating administrator enumeration.
Detection Strategies
- Inspect web server and WordPress access logs for requests to plugin REST endpoints containing client-supplied user_id values from unauthenticated sessions.
- Compare the WordPress session cookie identity against any user_id parameter present in the request body or query string and alert on mismatches.
- Monitor for spikes in 4xx/2xx responses to /wp-json/pm/v2/ paths originating from external IP addresses.
Monitoring Recommendations
- Enable verbose REST API request logging at the WordPress or reverse-proxy layer to capture full URIs and bodies for plugin routes.
- Track installed plugin versions across the estate and flag any host running WP Project Manager at version 2.6.13 or earlier.
- Forward web access logs to a centralized analytics platform for correlation across hosts and long-term retention.
How to Mitigate CVE-2024-10174
Immediate Actions Required
- Update WP Project Manager to the patched release that follows changeset 3185807 immediately on every WordPress site.
- Restrict access to /wp-json/pm/ endpoints at the WAF or reverse proxy until the plugin is confirmed patched.
- Audit administrator accounts and recent project, task, and file changes for unauthorized modifications.
Patch Information
The vendor addressed the issue in the commit recorded as WordPress Changeset 3185807, which adds validation against the authenticated user rather than trusting the client-supplied user_id. Sites must be running a release that incorporates this changeset to be protected.
Workarounds
- Deactivate and delete the WP Project Manager plugin until the patched version is deployed.
- Block unauthenticated requests to /wp-json/pm/ paths using a web application firewall rule.
- Use a WAF rule that strips or rejects any user_id parameter on plugin REST routes when the request lacks a valid administrator session cookie.
# Example nginx rule to block unauthenticated access to the plugin's REST namespace
location ~* /wp-json/pm/ {
if ($http_cookie !~* "wordpress_logged_in_") {
return 403;
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
