Zephyr Project Manager < 3.2.5 - Multiple Unauthenticated SQLi
Description
Zephyr Project Manager WordPress plugin before 3.2.5 is vulnerable to multiple unauthenticated SQL injection attacks via unsanitized AJAX parameters, allowing data extraction.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Zephyr Project Manager WordPress plugin before 3.2.5 is vulnerable to multiple unauthenticated SQL injection attacks via unsanitized AJAX parameters, allowing data extraction.
Vulnerability
The Zephyr Project Manager WordPress plugin prior to version 3.2.5 fails to sanitize and escape various parameters used in SQL statements across multiple AJAX actions. Both unauthenticated and authenticated users can trigger these AJAX actions, making the SQL injection accessible without prior authentication. The affected versions are all versions before 3.2.5 [1].
Exploitation
An attacker does not require any authentication to exploit these vulnerabilities. By sending crafted AJAX requests with malicious input in the unsanitized parameters, the attacker can inject arbitrary SQL commands. The plugin processes these parameters in SQL queries without proper sanitization, leading to SQL injection [1].
Impact
Successful exploitation allows an attacker to read sensitive data from the WordPress database, such as user credentials, posts, and other configuration details. This results in information disclosure, potentially compromising the entire site's security [1].
Mitigation
The vulnerability is fixed in version 3.2.5 of the Zephyr Project Manager plugin. Users should update to this version or later immediately. No other mitigations are provided in the references [1].
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <3.2.5
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Zephyr Project Manager WordPress plugin fails to sanitize and escape user-supplied input before incorporating it into SQL queries."
Attack vector
An attacker can exploit this vulnerability by sending specially crafted requests to the `admin-ajax.php` endpoint. These requests target AJAX actions such as `zpm_view_project` and `zpm_get_task_data`. By manipulating parameters like `project_id` with SQL injection payloads, an attacker can execute arbitrary SQL commands on the database [ref_id=1]. This can be performed by both unauthenticated and authenticated users.
Affected code
The vulnerability exists in the Zephyr Project Manager WordPress plugin, specifically within its handling of AJAX requests processed by `wp-admin/admin-ajax.php`. The plugin fails to validate and sanitize input parameters such as `project_id` before they are used in database queries related to project and task data retrieval [ref_id=1].
What the fix does
The patch addresses the SQL injection vulnerability by implementing proper sanitization and escaping for user-supplied parameters before they are used in SQL queries. This ensures that malicious input cannot alter the intended SQL statements, thereby preventing unauthorized data access or modification. The advisory does not specify the exact version containing the fix, but it is noted that version 3.2.5 resolves this issue.
Preconditions
- inputThe attacker must provide a malicious payload within the `project_id` parameter or other vulnerable input fields.
- authThe vulnerability can be exploited by both unauthenticated and authenticated users.
Reproduction
POST /wp-admin/admin-ajax.php HTTP/2 Host: vuln.local Cookie: ... Referer: https://vuln.local/wp-admin/admin.php?page=3Dzephyr_project_manager_projects Content-Type: application/x-www-form-urlencoded; charset=3DUTF-8 X-Requested-With: XMLHttpRequest
action=3Dzpm_view_project&project_id=3D1 AND 4923=3D4923&zpm_nonce=3D22858bf3a7
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.