cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-7624,https://securityvulnerability.io/vulnerability/CVE-2024-7624,Limited Privilege Escalation Vulnerability in Zephyr Project Manager for WordPress,"The Zephyr Project Manager plugin for WordPress is susceptible to a privilege escalation vulnerability across all versions up to and including 3.3.101. This flaw arises from the plugin's failure to validate user capabilities correctly within the update_user_access() function. As a result, authenticated users with subscriber-level access or higher can manipulate their permissions, enabling unrestricted access to the plugin's settings. This could allow them to alter configurations and potentially compromise the integrity of the WordPress installation.",Wordpress,Zephyr Project Manager,8.1,HIGH,0.0006000000284984708,false,,false,false,false,,false,false,2024-08-15T02:30:36.734Z,0
CVE-2024-7356,https://securityvulnerability.io/vulnerability/CVE-2024-7356,Stored Cross-Site Scripting Vulnerability in Zephyr Project Manager Plugin,"The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘filename’ parameter in all versions up to, and including, 3.3.100 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.",Wordpress,Zephyr Project Manager,6.4,MEDIUM,0.0006799999973736703,false,,false,false,false,,false,false,2024-08-03T09:37:19.855Z,0
CVE-2022-2839,https://securityvulnerability.io/vulnerability/CVE-2022-2839,Zephyr Project Manager < 3.2.55 - Unauthorised AJAX Calls To Stored XSS,"The Zephyr Project Manager WordPress plugin before 3.2.55 does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins.",Wordpress,Zephyr Project Manager,5.4,MEDIUM,0.000539999979082495,false,,false,false,false,,false,false,2022-10-03T13:45:24.000Z,0
CVE-2022-2840,https://securityvulnerability.io/vulnerability/CVE-2022-2840,Zephyr Project Manager < 3.2.5 - Multiple Unauthenticated SQLi,"The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections",Wordpress,Zephyr Project Manager,9.8,CRITICAL,0.0056500001810491085,false,,false,false,false,,false,false,2022-09-19T00:00:00.000Z,0
CVE-2022-1822,https://securityvulnerability.io/vulnerability/CVE-2022-1822,Zephyr Project Manager <= 3.2.40 - Reflected Cross-Site Scripting,"The Zephyr Project Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘project’ parameter in versions up to, and including, 3.2.40 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.",Wordpress,Zephyr Project Manager,6.1,MEDIUM,0.00139999995008111,false,,false,false,false,,false,false,2022-06-13T12:25:29.000Z,0