CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43915 – WordPress Zephyr Project Manager plugin <=3.3.102 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-43915
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager allows Reflected XSS.This issue affects Zephyr Project Manager: from n/a through .3.102. The Zephyr Project Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 3.3.102 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. • https://patchstack.com/database/vulnerability/zephyr-project-manager/wordpress-zephyr-project-manager-plugin-3-3-102-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43916 – WordPress Zephyr Project Manager plugin <= 3.3.102 - Insecure Direct Object References (IDOR) vulnerability
https://notcve.org/view.php?id=CVE-2024-43916
Authorization Bypass Through User-Controlled Key vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.102. The Zephyr Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the via the 'create_status‘, ‘update_status‘, and ‘delete_status‘ functions in all versions up to, and including, 3.3.102. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update statuses. • https://patchstack.com/database/vulnerability/zephyr-project-manager/wordpress-zephyr-project-manager-plugin-3-3-102-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 5.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43322 – WordPress Zephyr Project Manager plugin <= 3.3.100 - Insecure Direct Object References (IDOR) vulnerability
https://notcve.org/view.php?id=CVE-2024-43322
Authorization Bypass Through User-Controlled Key vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.100. The Zephyr Project Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.100 via the updateTaskStatus() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to edit task statuses that do not belong to them. • https://patchstack.com/database/vulnerability/zephyr-project-manager/wordpress-zephyr-project-manager-plugin-3-3-100-insecure-direct-object-references-idor-vulnerability?_s_id=cve • CWE-639: Authorization Bypass Through User-Controlled Key •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-38761 – WordPress Zephyr Project Manager plugin <= 3.3.99 - Sensitive Data Exposure via Export File vulnerability
https://notcve.org/view.php?id=CVE-2024-38761
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Dylan James Zephyr Project Manager.This issue affects Zephyr Project Manager: from n/a through 3.3.99. The Zephyr Project Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.99 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information contained in the exposed log files. • https://patchstack.com/database/vulnerability/zephyr-project-manager/wordpress-zephyr-project-manager-plugin-3-3-99-sensitive-data-exposure-via-export-file-vulnerability?_s_id=cve • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-532: Insertion of Sensitive Information into Log File •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-37484 – WordPress Zephyr Project Manager plugin <= 3.3.97 - Privilege Escalation vulnerability
https://notcve.org/view.php?id=CVE-2024-37484
Improper Privilege Management vulnerability in Dylan James Zephyr Project Manager allows Privilege Escalation.This issue affects Zephyr Project Manager: from n/a through 3.3.97. La vulnerabilidad de gestión de privilegios inadecuada en Dylan James Zephyr Project Manager permite la escalada de privilegios. Este problema afecta a Zephyr Project Manager: desde n/a hasta 3.3.97. The Zephyr Project Manager plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 3.3.97. This is due to the plugin not properly verifying user meta updated through the update_user_meta function. • https://patchstack.com/database/vulnerability/zephyr-project-manager/wordpress-zephyr-project-manager-plugin-3-3-97-privilege-escalation-vulnerability?_s_id=cve • CWE-269: Improper Privilege Management CWE-862: Missing Authorization •