A SQL Injection vulnerability has been identified in the WordPress WP Project Manager Plugin. This vulnerability could allow an attacker to inject malicious SQL code into the database, potentially compromising the security of the website and its visitors.

This vulnerability was discovered and responsibly reported by Theodoros Malachias.

The vulnerability is a SQL Injection vulnerability that occurs in the wp-project-manager.php file. The vulnerability allows an attacker to inject malicious SQL code into the database by specifying a specially crafted URL.


The vulnerability has a CVSS 3.1 score of 8.5, which is considered to be high. This means that the vulnerability is likely to be exploited and could have a significant impact on the affected system.

Affected Versions:

To address this vulnerability and enhance the website’s security, it is imperative to update the WP Project Manager Plugin to at least version 2.6.1.


An attacker who successfully exploits this vulnerability could:

  • Directly interact with the database, including but not limited to:
    • Stealing information
    • Modifying data
    • Creating or deleting tables

This could lead to a variety of security risks, such as:

  • Data theft
  • Website defacement
  • Denial of service attacks


In light of the severity of this vulnerability, we strongly recommend the following actions:

  • Immediate Update: Users of the WP Project Manager Plugin are strongly advised to update to the latest available version (at least 2.6.1). This vulnerability has been fixed in version 2.6.1.