CVE-2020-36745 : What You Need to Know

CVE-2020-36745, assigned by Wordfence, relates to a Cross-Site Request Forgery vulnerability in the WP Project Manager plugin for WordPress.

Understanding CVE-2020-36745

What is CVE-2020-36745?

The CVE-2020-36745 vulnerability involves missing or incorrect nonce validation in the do_updates() function of the WP Project Manager plugin, allowing unauthenticated attackers to trigger updates via forged requests.

The Impact of CVE-2020-36745

This vulnerability could be exploited by attackers to manipulate site administrators into unknowingly performing actions that could compromise the website's security.

Technical Details of CVE-2020-36745

Vulnerability Description

The WP Project Manager plugin for WordPress is susceptible to Cross-Site Request Forgery in versions up to 2.4.0 due to inadequate nonce validation on the do_updates() function.

Affected Systems and Versions

Vendor: wedevs
Product: WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts
Versions Affected: Up to and including 2.4.0

Exploitation Mechanism

Attackers can exploit this vulnerability by tricking site administrators into taking actions, such as clicking on malicious links, to trigger unauthorized updates.

Mitigation and Prevention

Immediate Steps to Take

Update the WP Project Manager plugin to version 2.4.1 or higher to mitigate the vulnerability.
Be cautious when clicking on links or performing actions on websites, especially if they seem suspicious.

Long-Term Security Practices

Regularly update all plugins and themes on your WordPress website to patch known vulnerabilities.
Educate site administrators about the risks of CSRF attacks and how to identify and avoid them.

Patching and Updates

Ensure that all software components, including plugins and themes, are kept up to date to prevent exploitation of known vulnerabilities.