On July 9, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for a Privilege Escalation vulnerability in weDevs’s WP Project Manager plugin, which is actively installed on more than 10,000 WordPress websites. This vulnerability makes it possible for an authenticated attacker to grant themselves administrative privileges by updating user metadata.
All Wordfence users received protection on August 12, 2023.
Wordfence contacted weDevs on July 11, 2023, and received a response on July 16, 2023. After providing full disclosure details, the developer released a patch on July 24, 2023. We would like to commend the weDevs development team for their prompt response and timely patch.
We urge users to update their sites with the latest patched version of WP Project Manager, which is version 2.6.5 at the time of this writing, as soon as possible.