Zephyr Project Manager < 3.2.55 - Unauthorised AJAX Calls To Stored XSS

Vulnerability

The Zephyr Project Manager WordPress plugin before version 3.2.55 lacks authorization and CSRF protection on all its AJAX actions, as reported in reference [1]. This allows unauthenticated attackers to invoke these actions directly or via cross-site request forgery. Additionally, the plugin does not sanitize or escape the input, enabling stored cross-site scripting (XSS).

Exploitation

An unauthenticated attacker can either send direct AJAX requests to the plugin's endpoints or trick an authenticated administrator into performing the request via CSRF. No special network position or user interaction is required beyond luring an admin if using CSRF. The attacker can then inject malicious JavaScript payloads that get stored and executed when an admin views the affected page.

Impact

Successful exploitation results in stored XSS, allowing the attacker to execute arbitrary JavaScript in the context of an administrator's session. This can lead to privilege escalation, data theft, or further compromise of the WordPress site.

Mitigation

The vulnerability is fixed in version 3.2.55 of the Zephyr Project Manager plugin, as indicated by the advisory [1]. Administrators should update to this version immediately. No known workarounds are available, and the issue is not listed on CISA's KEV.