{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8994", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-08-13T17:15:06.350Z", "datePublished": "2025-11-15T05:45:33.608Z", "dateUpdated": "2026-04-08T17:01:10.944Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:10.944Z"}, "affected": [{"vendor": "wedevs", "product": "Project Manager \u2013 AI Powered Project Management, Task Management, Kanban Board & Time Tracker", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.6.26", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Project Management, Team Collaboration, Kanban Board, Gantt Charts, Task Manager and More \u2013 WP Project Manager plugin for WordPress is vulnerable to time-based SQL Injection via the \u2018completed_at_operator\u2019 parameter in all versions up to, and including, 2.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "title": "WP Project Manager <= 2.6.26 - Authenticated (Subscriber+) SQL Injection via 'completed_at_operator'", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74984cc6-06b1-4c3a-a3e6-9e104c71e9c5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wedevs-project-manager/tags/2.6.24/src/Task/Helper/Task.php#L1484"}, {"url": "https://plugins.trac.wordpress.org/changeset/3386164/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "timeline": [{"time": "2025-11-07T06:44:33.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-14T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-24T20:26:55.423966Z", "id": "CVE-2025-8994", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T20:27:01.309Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8994", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-11-24T20:26:55.423966Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-17T18:45:30.770Z"}}], "cna": {"title": "WP Project Manager <= 2.6.26 - Authenticated (Subscriber+) SQL Injection via 'completed_at_operator'", "credits": [{"lang": "en", "type": "finder", "value": "Michael Mazzolini"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "wedevs", "product": "Project Manager \u2013 AI Powered Project Management, Task Management, Kanban Board & Time Tracker", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.6.26"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-07T06:44:33.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-14T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74984cc6-06b1-4c3a-a3e6-9e104c71e9c5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/wedevs-project-manager/tags/2.6.24/src/Task/Helper/Task.php#L1484"}, {"url": "https://plugins.trac.wordpress.org/changeset/3386164/"}], "descriptions": [{"lang": "en", "value": "The Project Management, Team Collaboration, Kanban Board, Gantt Charts, Task Manager and More \u2013 WP Project Manager plugin for WordPress is vulnerable to time-based SQL Injection via the \u2018completed_at_operator\u2019 parameter in all versions up to, and including, 2.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:10.944Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8994", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:01:10.944Z", "dateReserved": "2025-08-13T17:15:06.350Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-15T05:45:33.608Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Project Management, Team Collaboration, Kanban Board, Gantt Charts, Task Manager and More \u2013 WP Project Manager plugin for WordPress is vulnerable to time-based SQL Injection via the \u2018completed_at_operator\u2019 parameter in all versions up to, and including, 2.6.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "id": "CVE-2025-8994", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-15T06:15:43.980", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/wedevs-project-manager/tags/2.6.24/src/Task/Helper/Task.php#L1484"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3386164/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/74984cc6-06b1-4c3a-a3e6-9e104c71e9c5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:37:33.027756+00:00", "value": {"mitigation_remediation": ["Update WP Project Manager to version 2.6.27 or later to remove the vulnerable code path.", "If an update cannot be applied immediately, restrict authentication by revoking Subscriber\u2011level abilities that allow access to the affected functionality.", "Implement input sanitization for the \u2018completed_at_operator\u2019 parameter, escaping characters that could terminate the query or inject SQL conditions.", "Continue to monitor WordPress logs for unusual database queries that could indicate exploitation attempts."], "summary": {"action": "Apply Patch", "impact": "SQL Injection enabling data exfiltration"}, "threat_synthesis": {"affected_systems": "WordPress sites running the WP Project Manager plugin by WeDevs, any version up to and including 2.6.26 are affected. Vendors affected are WeDevs with the Project Manager plugin. Exact versions impacted are 2.6.26 and all earlier releases.", "description_and_impact": "WP Project Manager plugin is vulnerable to a time\u2011based SQL injection via the \u2018completed_at_operator\u2019 parameter. The injection arises from insufficient escaping and a lack of prepared statements, allowing an attacker to append additional SQL clauses. Because the vulnerability can be exploited only by authenticated users with Subscriber role or higher, an attacker can extract sensitive information from the database by injecting payloads that alter query logic.", "risk_and_exploitability": "The CVSS score of 6.5 indicates a moderate severity level. The EPSS score of less than 1% suggests very low probability of exploitation in the wild, and the vulnerability is not listed in CISA\u2019s KEV catalog. Attackers would need authenticated access with Subscriber privileges or higher, which limits the reach but still poses a threat to organizations with many authorized users."}}}}, "created": "2025-11-15T21:25:17.230957+00:00", "updated": "2026-04-21T01:45:24.439642+00:00", "vendors": ["wedevs", "wedevs$PRODUCT$wp_project_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}