Zephyr Project Manager < 3.3.99 - Editor+ XSS

Vulnerability

The Zephyr Project Manager WordPress plugin before version 3.3.99 fails to sanitize and escape some of its settings. This allows high privilege users such as editors and admins to inject arbitrary JavaScript into the plugin's settings, leading to stored XSS. The vulnerability is present regardless of whether the unfiltered_html capability is disallowed (e.g., in multisite setups). [1]

Exploitation

An attacker with an editor or administrator role can save malicious payloads in the plugin's settings fields. The stored payload is then executed when any user visits the affected settings page or any page that renders the unsanitized data. No additional user interaction beyond the initial injection is required. [1]

Impact

Successful exploitation results in stored cross-site scripting (XSS). The attacker's script executes in the context of any user viewing the affected page, potentially leading to session hijacking, data theft, or other malicious actions. The privilege level required is editor or higher, but the compromise can affect all users. [1]

Mitigation

The vulnerability is fixed in version 3.3.99 of the plugin. Users should update to this version or later. No other workarounds are mentioned in the available reference. [1]