Zephyr Project Manager <= 3.3.100 - Authenticated (Subscriber+) Stored Cross-Site Scripting via filename Parameter

Vulnerability

The Zephyr Project Manager plugin for WordPress versions up to and including 3.3.100 suffers from a Stored Cross-Site Scripting (XSS) vulnerability in the file upload functionality. The 'filename' parameter is not properly sanitized before being stored and later displayed, allowing the injection of arbitrary web scripts. This affects all versions up to 3.3.100 [1].

Exploitation

An attacker must be authenticated with at least Subscriber-level access. The attacker can upload a file with a malicious payload embedded in the filename. When a victim (e.g., an administrator or other user) accesses a page where the uploaded file is displayed (e.g., the file manager or project page), the stored script executes in the victim's browser context [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can lead to session hijacking, cookie theft, redirection to malicious sites, or defacement. The attack does not require any special user interaction beyond viewing the affected page [1].

Mitigation

The issue is addressed in version 3.3.205 of the plugin, as noted in the plugin repository. Users should update to the latest version (3.3.205 or higher) to mitigate the vulnerability. No workarounds are provided [1].