Zephyr Project Manager

Source repositories

https://plugins.svn.wordpress.org/zephyr-project-manager/

CVEs (12)

CVE	Vendor / Product	Sev	Risk	CVSS	EPSS	Published	Description
CVE-2025-54714	WordPress Zephyr Project Manager	Hig	0.46	7.1	0.00	Aug 28, 2025	Missing Authorization vulnerability in Dylan James Zephyr Project Manager zephyr-project-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zephyr Project Manager: from n/a through <= 3.3.201.
CVE-2025-32526	Zephyr One Zephyr Project Manager	Hig	0.46	7.1	0.01	Apr 17, 2025	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager zephyr-project-manager allows Reflected XSS.This issue affects Zephyr Project Manager: from n/a through <= 3.3.101.
CVE-2022-1822	WordPress Zephyr Project Manager	Med	0.40	6.1	0.02	Jun 13, 2022	The Zephyr Project Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘project’ parameter in versions up to, and including, 3.2.40 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated…
CVE-2025-12496	WordPress Zephyr Project Manager	Med	0.32	4.9	0.00	Dec 17, 2025	The Zephyr Project Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.203 via the `file` parameter. This makes it possible for authenticated attackers, with Custom-level access and above, to read the contents of arbitrary…
CVE-2023-31237	Zephyr Project Manager Project Zephyr Project Manager	Med	0.31	4.7	0.00	Dec 29, 2023	URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.9.
CVE-2025-10490	WordPress Zephyr Project Manager	Med	0.29	4.4	0.00	Sep 26, 2025	The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.3.202 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…
CVE-2024-6536	WordPress Zephyr Project Manager		0.04	—	0.52	Jul 30, 2024	The Zephyr Project Manager WordPress plugin before 3.3.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors and admins to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed…
CVE-2022-2840	WordPress Zephyr Project Manager		0.03	—	0.04	Sep 19, 2022	The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections
CVE-2024-7356	WordPress Zephyr Project Manager		0.00	—	0.00	Aug 3, 2024	The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘filename’ parameter in all versions up to, and including, 3.3.100 due to insufficient input sanitization and output escaping. This makes it possible for authenticated…
CVE-2023-34373	WordPress Zephyr Project Manager		0.00	—	0.00	Jun 19, 2023	Cross-Site Request Forgery (CSRF) vulnerability in Dylan James Zephyr Project Manager plugin <= 3.3.93 versions.
CVE-2022-2839	WordPress Zephyr Project Manager		0.00	—	0.00	Oct 3, 2022	The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could…
CVE-2022-3333	WordPress Zephyr Project Manager		0.00	—	0.00	Sep 28, 2022	A vulnerability, which was classified as problematic, was found in Zephyr Project Manager up to 3.2.4. Affected is an unknown function of the file /v1/tasks/create/ of the component REST Call Handler. The manipulation of the argument onanimationstart leads to cross site…

CVE-2025-54714HigAug 28, 2025
WordPress
Zephyr Project Manager
risk 0.46cvss 7.1epss 0.00
Missing Authorization vulnerability in Dylan James Zephyr Project Manager zephyr-project-manager allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Zephyr Project Manager: from n/a through <= 3.3.201.
CVE-2025-32526HigApr 17, 2025
Zephyr One
Zephyr Project Manager
risk 0.46cvss 7.1epss 0.01
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager zephyr-project-manager allows Reflected XSS.This issue affects Zephyr Project Manager: from n/a through <= 3.3.101.
CVE-2022-1822MedJun 13, 2022
WordPress
Zephyr Project Manager
risk 0.40cvss 6.1epss 0.02
The Zephyr Project Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘project’ parameter in versions up to, and including, 3.2.40 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated…
CVE-2025-12496MedDec 17, 2025
WordPress
Zephyr Project Manager
risk 0.32cvss 4.9epss 0.00
The Zephyr Project Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.203 via the `file` parameter. This makes it possible for authenticated attackers, with Custom-level access and above, to read the contents of arbitrary…
CVE-2023-31237MedDec 29, 2023
Zephyr Project Manager Project
Zephyr Project Manager
risk 0.31cvss 4.7epss 0.00
URL Redirection to Untrusted Site ('Open Redirect') vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.9.
CVE-2025-10490MedSep 26, 2025
WordPress
Zephyr Project Manager
risk 0.29cvss 4.4epss 0.00
The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.3.202 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with…
CVE-2024-6536Jul 30, 2024
WordPress
Zephyr Project Manager
risk 0.04cvss —epss 0.52
The Zephyr Project Manager WordPress plugin before 3.3.99 does not sanitise and escape some of its settings, which could allow high privilege users such as editors and admins to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed…
CVE-2022-2840Sep 19, 2022
WordPress
Zephyr Project Manager
risk 0.03cvss —epss 0.04
The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections
CVE-2024-7356Aug 3, 2024
WordPress
Zephyr Project Manager
risk 0.00cvss —epss 0.00
The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘filename’ parameter in all versions up to, and including, 3.3.100 due to insufficient input sanitization and output escaping. This makes it possible for authenticated…
CVE-2023-34373Jun 19, 2023
WordPress
Zephyr Project Manager
risk 0.00cvss —epss 0.00
Cross-Site Request Forgery (CSRF) vulnerability in Dylan James Zephyr Project Manager plugin <= 3.3.93 versions.
CVE-2022-2839Oct 3, 2022
WordPress
Zephyr Project Manager
risk 0.00cvss —epss 0.00
The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could…
CVE-2022-3333Sep 28, 2022
WordPress
Zephyr Project Manager
risk 0.00cvss —epss 0.00
A vulnerability, which was classified as problematic, was found in Zephyr Project Manager up to 3.2.4. Affected is an unknown function of the file /v1/tasks/create/ of the component REST Call Handler. The manipulation of the argument onanimationstart leads to cross site…