WordPress Plugin Vulnerabilities

Zephyr Project Manager < 3.2.5 - Unauthorised REST Calls to Stored XSS

Description

The plugin does not have proper authorisation (even when the Require Authorisation for REST API Requests is enabled) in all its REST endpoints, allowing unauthenticated users to call them either directly. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins

Proof of Concept

Affects Plugins

Plugin icon
zephyr-project-manager
Fixed in 3.2.5

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.3 (high)

Miscellaneous

Original Researcher
WPScan
Verified
Yes
WPVDB ID
bfd8a7aa-5977-4fe5-b2fc-12bf93caf3ed

Timeline

Publicly Published
2022-08-29 (about 3 years ago)
Added
2022-08-29 (about 3 years ago)
Last Updated
2022-08-29 (about 3 years ago)

Other

Published
Title
Published
2025-01-03
Title
Media Library Assistant < 3.24 - Reflected Cross-Site Scripting via smc_settings_tab, unattachfixit-action, and woofixit-action Parameters
Published
2024-09-09
Title
Post Grid and Gutenberg Blocks < 2.2.93 - Contributor+ Stored XSS
Published
2025-11-06
Title
LearnPress < 4.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2024-06-06
Title
WP Visitors Tracker < 2.4 - Reflected Cross-Site Scripting
Published
2021-06-14
Title
Jannah < 5.4.5 - Reflected Cross-Site Scripting (XSS)