The WP Project Manager – Task, Team, and Project Management Plugin with Kanban Board and Gantt Charts plugin for WordPress (henceforth referred to as WP Project Manager) is a popular plugin used by many organizations to facilitate team collaboration and project management within a WordPress site. Unfortunately, all versions of the plugin up to, and including, 2.6.13 are found to be vulnerable to Insecure Direct Object Reference (IDOR) via the 'Abstract_Permission' class due to missing validation on the 'user_id' user-controlled key. This vulnerability makes it possible for unauthenticated attackers to spoof their identity to that of an administrator and access all of the plugin's REST routes.
Vulnerability Details
The vulnerability in question is an Insecure Direct Object Reference (IDOR), which arises when an application exposes a reference to an internal object, such as a file or database key, without properly validating user permissions. In the case of the WP Project Manager, the vulnerability lies in the 'Abstract_Permission' class, which fails to validate the 'user_id' user-controlled key provided in REST API requests.
Below is a code snippet demonstrating this issue
class Abstract_Permission {
protected $user_id;
protected $project_id;
public function __construct( $project_id = '', $user_id = '' ) {
$this->user_id = $user_id; // No validation on user_id
$this->project_id = $project_id;
}
...
In practical terms, this vulnerability allows an attacker to spoof their identity as an administrator and access all of the plugin's REST routes, potentially gaining unauthorized access to sensitive project data and even modifying project settings.
Exploit Details
The exploitation of this vulnerability would involve an attacker sending a crafted REST API request to the WP Project Manager plugin with a spoofed 'user_id' value, as illustrated in the following example:
POST /wp-json/pm/v2/projects/ HTTP/1.1
Host: target.site
Content-Type: application/json
...
{
"name": "Compromised Project",
"user_id": "1" // Spoofed user_id of a known administrator
}
By doing so, the attacker could create, modify, or delete projects, tasks, and other related data as if they were an authorized administrator.
Mitigation and Recommendation
The developers of the WP Project Manager have acknowledged this vulnerability and released a patch for it in version 2.6.14 of the plugin. The immediate resolution is to update the plugin from any vulnerable versions (2.6.13 and lower) to the patched version 2.6.14:
Locate the WP Project Manager row and click the 'Update Now' link.
As a general security best practice, always ensure your WordPress installation, plugins, and themes are up-to-date to protect against known vulnerabilities.
Links to Additional References
- CVE-2024-10174 Details
- WP Project Manager – Plugin Homepage
- WP Project Manager – Changelog (2.6.14 Patch Notes)
Timeline
Published on: 11/13/2024 04:15:03 UTC
Last modified on: 11/13/2024 17:01:16 UTC