WordPress Zephyr Project Manager Plugin <= 3.3.93 is vulnerable to Cross Site Request Forgery (CSRF)

Vulnerability

The Zephyr Project Manager plugin for WordPress versions up to and including 3.3.93 is vulnerable to Cross-Site Request Forgery (CSRF). This flaw allows an attacker to trick an authenticated administrator into performing unintended actions, such as modifying plugin settings or creating unauthorized projects or tasks, without their knowledge.

Exploitation

To exploit this vulnerability, an attacker must craft a malicious link or script and convince an authenticated administrator to interact with it while they have an active session. No additional authentication or network access is required beyond the ability to deliver the payload (e.g., via email or a compromised site).

Impact

Successful exploitation could lead to unauthorized modifications within the plugin, including creating, editing, or deleting projects, tasks, and settings. The attacker effectively leverages the administrator's privileges to perform actions that may disrupt project management workflows or exfiltrate sensitive data.

Mitigation

The vulnerability is fixed in version 3.3.94 or later. Users should update the Zephyr Project Manager plugin to the latest version (3.3.205 as of this writing) from the WordPress plugin repository [1]. No workaround is available for older versions.