Cross-Site Request Forgery Vulnerability in WordPress Zephyr Project Manager Plugin (CVE-2022-2839)
The Zephyr Project Manager plugin for WordPress versions prior to 3.2.55 suffers from an unauthenticated CSRF flaw that allows attackers to impersonate administrators and execute malicious actions, including stored XSS, due to missing authorization checks and insufficient input sanitization.
Zephyr Project Manager is a project management plugin for WordPress.
Versions of Zephyr Project Manager before 3.2.55 contain a CSRF vulnerability because AJAX operations are not protected by authorization checks, allowing unauthenticated attackers to impersonate administrators and perform malicious actions. Additionally, the lack of proper sanitization and escaping of user‑supplied data enables stored cross‑site scripting attacks against logged‑in administrators.
Vulnerability Name
WordPress Zephyr Project Manager Plugin CSRF Vulnerability
Vulnerability Type
-
Discovery Date
2022-10-03
Impact Scope
Very Small
MPS ID
MPS-2022-55547
CVE ID
CVE-2022-2839
CNVD ID
-
Laravel Tech Community
Specializing in Laravel development, we continuously publish fresh content and grow alongside the elegant, stable Laravel framework.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.