Vulnerabilities and security researches forzephyr-project-manager zephyr-project-manager

Direction: ascending

Jun 07, 2024

Zephyr Project Manager # CVE-2022-3333

CVE, Research URL: CVE-2022-3333
Home page URL: Security reports for Zephyr Project Manager
Application: Zephyr Project Manager
Date: Sep 28, 2022
Research Description: A vulnerability, which was classified as problematic, was found in Zephyr Project Manager up to 3.2.4. Affected is an unknown function of the file /v1/tasks/create/ of the component REST Call Handler. The manipulation of the argument onanimationstart leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 3.2.5 is able to address this issue. It is recommended to upgrade the affected component. VDB-209370 is the identifier assigned to this vulnerability.
Affected versions: Min -, max -.
Status: vulnerable

Zephyr Project Manager # CVE-2023-31237

CVE, Research URL: CVE-2023-31237
Home page URL: Security reports for Zephyr Project Manager
Application: Zephyr Project Manager
Date: Dec 29, 2023
Research Description: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.9.
Affected versions: Min -, max -.
Status: vulnerable

Zephyr Project Manager # CVE-2022-2839

CVE, Research URL: CVE-2022-2839
Home page URL: Security reports for Zephyr Project Manager
Application: Zephyr Project Manager
Date: Oct 03, 2022
Research Description: The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.
Affected versions: Min -, max -.
Status: vulnerable

Zephyr Project Manager # CVE-2022-1822

CVE, Research URL: CVE-2022-1822
Home page URL: Security reports for Zephyr Project Manager
Application: Zephyr Project Manager
Date: Jun 13, 2022
Research Description: The Zephyr Project Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘project’ parameter in versions up to, and including, 3.2.40 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: Min -, max -.
Status: vulnerable

Zephyr Project Manager # CVE-2022-2840

CVE, Research URL: CVE-2022-2840
Home page URL: Security reports for Zephyr Project Manager
Application: Zephyr Project Manager
Date: Sep 19, 2022
Research Description: The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections
Affected versions: Min -, max -.
Status: vulnerable

Zephyr Project Manager # CVE-2023-34373

CVE, Research URL: CVE-2023-34373
Home page URL: Security reports for Zephyr Project Manager
Application: Zephyr Project Manager
Date: Jun 19, 2023
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in Dylan James Zephyr Project Manager plugin <= 3.3.93 versions.
Affected versions: Min -, max -.
Status: vulnerable

Jul 08, 2024

Zephyr Project Manager # CVE-2024-37484

CVE, Research URL: CVE-2024-37484
Home page URL: Security reports for Zephyr Project Manager
Application: Zephyr Project Manager
Date: Jul 09, 2024
Research Description: Improper Privilege Management vulnerability in Dylan James Zephyr Project Manager allows Privilege Escalation.This issue affects Zephyr Project Manager: from n/a through 3.3.97.
Affected versions: Min -, max -.
Status: vulnerable

Jul 16, 2024

Zephyr Project Manager # CVE-2024-38761

CVE, Research URL: CVE-2024-38761
Home page URL: Security reports for Zephyr Project Manager
Application: Zephyr Project Manager
Date: -
Research Description: Zephyr Project Manager [zephyr-project-manager] < 3.3.100 CVE-2024-38761
Affected versions: Min -, max -.
Status: vulnerable

Aug 01, 2024

Zephyr Project Manager # CVE-2024-6536

CVE, Research URL: CVE-2024-6536
Home page URL: Security reports for Zephyr Project Manager
Application: Zephyr Project Manager
Date: Jul 30, 2024
Research Description: The Zephyr Project Manager WordPress plugin before 3.3.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors and admins to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)
Affected versions: Min -, max -.
Status: vulnerable

Aug 04, 2024

Zephyr Project Manager # CVE-2024-7356

CVE, Research URL: CVE-2024-7356
Home page URL: Security reports for Zephyr Project Manager
Application: Zephyr Project Manager
Date: Aug 03, 2024
Research Description: The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘filename’ parameter in all versions up to, and including, 3.3.100 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions: Min -, max -.
Status: vulnerable

Aug 16, 2024

Zephyr Project Manager # CVE-2024-7624

CVE, Research URL: CVE-2024-7624
Home page URL: Security reports for Zephyr Project Manager
Application: Zephyr Project Manager
Date: Aug 15, 2024
Research Description: The Zephyr Project Manager plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 3.3.101. This is due to the plugin not properly checking a users capabilities before allowing them to enable access to the plugin's settings through the update_user_access() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to grant themselves full access to the plugin's settings.
Affected versions: Min -, max -.
Status: vulnerable

Aug 20, 2024

Zephyr Project Manager # CVE-2024-43322

CVE, Research URL: CVE-2024-43322
Home page URL: Security reports for Zephyr Project Manager
Application: Zephyr Project Manager
Date: Aug 19, 2024
Research Description: Authorization Bypass Through User-Controlled Key vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.100.
Affected versions: Min -, max -.
Status: vulnerable

Aug 24, 2024

Zephyr Project Manager # CVE-2024-43915

CVE, Research URL: CVE-2024-43915
Home page URL: Security reports for Zephyr Project Manager
Application: Zephyr Project Manager
Date: Aug 27, 2024
Research Description: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager allows Reflected XSS.This issue affects Zephyr Project Manager: from n/a through .3.102.
Affected versions: Min -, max -.
Status: vulnerable

Zephyr Project Manager # CVE-2024-43916

CVE, Research URL: CVE-2024-43916
Home page URL: Security reports for Zephyr Project Manager
Application: Zephyr Project Manager
Date: Aug 27, 2024
Research Description: Authorization Bypass Through User-Controlled Key vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.102.
Affected versions: Min -, max -.
Status: vulnerable

Apr 14, 2025

Zephyr Project Manager # CVE-2025-32526

CVE, Research URL: CVE-2025-32526
Home page URL: Security reports for Zephyr Project Manager
Application: Zephyr Project Manager
Date: -
Research Description: Zephyr Project Manager [zephyr-project-manager] < 3.3.102 CVE-2025-32526
Affected versions: Min -, max -.
Status: vulnerable