Zephyr Project Manager

zephyr_project_manager

Vendor: Zephyr One • 10 CVEs

CVEs (10)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-32526 1Zephyr One 1Zephyr Project Manager Apr 23, 2026 Apr 17, 2025 N/A· v4 6.1 MEDIUM· v3 N/A· v2 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager zephyr-project-manager allows Reflected XSS.This issue affects Zephyr Project Manag...Show more Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager zephyr-project-manager allows Reflected XSS.This issue affects Zephyr Project Manager: from n/a through <= 3.3.101.Show less
CVE-2024-43915 1Zephyr One 1Zephyr Project Manager Aug 28, 2024 Aug 26, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager allows Reflected XSS.This issue affects Zephyr Project Manager: from n/a thr...Show more Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager allows Reflected XSS.This issue affects Zephyr Project Manager: from n/a through .3.102.Show less
CVE-2024-43322 1Zephyr One 1Zephyr Project Manager Feb 11, 2025 Aug 18, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Authorization Bypass Through User-Controlled Key vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.100.
CVE-2024-7624 1Zephyr One 1Zephyr Project Manager Feb 11, 2025 Aug 15, 2024 N/A· v4 8.1 HIGH· v3 N/A· v2 The Zephyr Project Manager plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 3.3.101. This is due to the plugin not properly checking a users capabilities before all...Show more The Zephyr Project Manager plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 3.3.101. This is due to the plugin not properly checking a users capabilities before allowing them to enable access to the plugin's settings through the update_user_access() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to grant themselves full access to the plugin's settings.Show less
CVE-2024-7356 1Zephyr One 1Zephyr Project Manager Feb 11, 2025 Aug 3, 2024 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘filename’ parameter in all versions up to, and including, 3.3.100 due to insufficient input sanitization and output es...Show more The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘filename’ parameter in all versions up to, and including, 3.3.100 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.Show less
CVE-2024-38761 1Zephyr One 1Zephyr Project Manager Feb 11, 2025 Aug 1, 2024 N/A· v4 7.5 HIGH· v3 N/A· v2 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.99.
CVE-2024-37484 1Zephyr One 1Zephyr Project Manager Feb 10, 2025 Jul 9, 2024 N/A· v4 8.8 HIGH· v3 N/A· v2 Improper Privilege Management vulnerability in Dylan James Zephyr Project Manager allows Privilege Escalation.This issue affects Zephyr Project Manager: from n/a through 3.3.97.
CVE-2022-2839 1Zephyr One 1Zephyr Project Manager Nov 21, 2024 Oct 3, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furtherm...Show more The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.Show less
CVE-2022-3333 1Zephyr One 1Zephyr Project Manager Nov 21, 2024 Sep 28, 2022 N/A· v4 5.4 MEDIUM· v3 N/A· v2 A vulnerability, which was classified as problematic, was found in Zephyr Project Manager up to 3.2.4. Affected is an unknown function of the file /v1/tasks/create/ of the component REST Call Handler. The manipulation of...Show more A vulnerability, which was classified as problematic, was found in Zephyr Project Manager up to 3.2.4. Affected is an unknown function of the file /v1/tasks/create/ of the component REST Call Handler. The manipulation of the argument onanimationstart leads to cross site scripting. It is possible to launch the attack remotely. Upgrading to version 3.2.5 is able to address this issue. It is recommended to upgrade the affected component. VDB-209370 is the identifier assigned to this vulnerability.Show less
CVE-2022-2840 1Zephyr One 1Zephyr Project Manager Nov 21, 2024 Sep 19, 2022 N/A· v4 9.8 CRITICAL· v3 N/A· v2 The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated us...Show more The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injectionsShow less