CVE-2024-12015

Vulnerability

Overview

The Project Manager WordPress plugin is vulnerable to an authenticated SQL injection (SQLi) in the /pm/v2/activities REST API route. The flaw exists because the orderby parameter is not properly validated or sanitized before being used in SQL queries [1]. This allows an attacker with valid authentication to inject arbitrary SQL commands.

Exploitation

An attacker can exploit this vulnerability by sending a crafted GET request to the vulnerable endpoint. The proof-of-concept provided by Tenable demonstrates a time-based blind SQL injection using SLEEP(5) to confirm the injection [1]. No special privileges beyond standard user authentication are required, as the route is accessible to any authenticated user.

Impact

Successful exploitation enables an attacker to extract sensitive data from the WordPress database, including user credentials, session tokens, and other confidential information. The injection could also be used to modify or delete data, potentially leading to complete site compromise.

Mitigation

As of the disclosure date, the vendor (WeDevs) has not released a patch. The recommended mitigation is to remove the Project Manager plugin entirely until a fix is available [1]. The vulnerability has been publicly disclosed and proof-of-concept code is available, increasing the risk of exploitation.