CVE-2022-2839
published 2022-10-03CVE-2022-2839: The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated…
PriorityP424medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.38%
29.9th percentile
The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zephyr-one | zephyr_project_manager | < 3.2.55 | 3.2.55 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
osv5.4MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p2c9-6h79-p9j6: The Zephyr Project Manager WordPress plugin before 3
ghsa_unreviewed·2022-10-04
CVE-2022-2839 [MEDIUM] CWE-352 GHSA-p2c9-6h79-p9j6: The Zephyr Project Manager WordPress plugin before 3
The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.
OSV
CVE-2022-2839: The Zephyr Project Manager WordPress plugin before 3
osv·2022-10-03·CVSS 5.4
CVE-2022-2839 [MEDIUM] CVE-2022-2839: The Zephyr Project Manager WordPress plugin before 3
The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2022-10-03
Published