cbcvebase.

Zephyr-One Zephyr Project Manager vulnerabilities

10 known vulnerabilities affecting zephyr-one/zephyr_project_manager.

Total CVEs
10
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
CRITICAL2HIGH3MEDIUM5

Vulnerabilities

Page 1 of 1
CVE-2022-2840P2CRITICALCVSS 9.8PoCfixed in 3.2.52022-09-19
CVE-2022-2840 [CRITICAL] CWE-89 CVE-2022-2840: The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parame The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections
nvd
CVE-2024-37484P3HIGHCVSS 8.8fixed in 3.3.992024-07-09
CVE-2024-37484 [HIGH] CWE-269 CVE-2024-37484: Improper Privilege Management vulnerability in Dylan James Zephyr Project Manager allows Privilege E Improper Privilege Management vulnerability in Dylan James Zephyr Project Manager allows Privilege Escalation.This issue affects Zephyr Project Manager: from n/a through 3.3.97.
nvd
CVE-2024-43322P3CRITICALCVSS 9.8fixed in 3.3.1012024-08-18
CVE-2024-43322 [CRITICAL] CWE-639 CVE-2024-43322: Authorization Bypass Through User-Controlled Key vulnerability in Dylan James Zephyr Project Manager Authorization Bypass Through User-Controlled Key vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.100.
nvd
CVE-2024-7624P3HIGHCVSS 8.1fixed in 3.3.1022024-08-15
CVE-2024-7624 [HIGH] CWE-285 CVE-2024-7624: The Zephyr Project Manager plugin for WordPress is vulnerable to limited privilege escalation in all The Zephyr Project Manager plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 3.3.101. This is due to the plugin not properly checking a users capabilities before allowing them to enable access to the plugin's settings through the update_user_access() function. This makes it possible for authenticate
nvd
CVE-2024-38761P3HIGHCVSS 7.5fixed in 3.3.1002024-08-01
CVE-2024-38761 [HIGH] CWE-200 CVE-2024-38761: Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Dylan James Zephyr Proje Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.99.
nvd
CVE-2022-3333P4MEDIUMCVSS 5.4fixed in 3.2.52022-09-28
CVE-2022-3333 [MEDIUM] CWE-707 CVE-2022-3333: A vulnerability, which was classified as problematic, was found in Zephyr Project Manager up to 3.2. A vulnerability, which was classified as problematic, was found in Zephyr Project Manager up to 3.2.4. Affected is an unknown function of the file /v1/tasks/create/ of the component REST Call Handler. The manipulation of the argument onanimationstart leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 3.2.
nvd
CVE-2022-2839P4MEDIUMCVSS 5.4fixed in 3.2.552022-10-03
CVE-2022-2839 [MEDIUM] CWE-79 CVE-2022-2839: The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against log
nvd
CVE-2025-32526P4MEDIUMCVSS 6.1≤ 3.3.1022025-04-17
CVE-2025-32526 [MEDIUM] CWE-79 CVE-2025-32526: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability i Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager zephyr-project-manager allows Reflected XSS.This issue affects Zephyr Project Manager: from n/a through <= 3.3.101.
nvd
CVE-2024-7356P4MEDIUMCVSS 5.4fixed in 3.3.1012024-08-03
CVE-2024-7356 [MEDIUM] CWE-79 CVE-2024-7356: The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘filename’ parameter in all versions up to, and including, 3.3.100 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in
nvd
CVE-2024-43915P4MEDIUMCVSS 5.4fixed in 3.3.1032024-08-26
CVE-2024-43915 [MEDIUM] CWE-79 CVE-2024-43915: Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerab Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager allows Reflected XSS.This issue affects Zephyr Project Manager: from n/a through .3.102.
nvd
Zephyr-One Zephyr Project Manager vulnerabilities | cvebase