CVE-2025-10490
BaseFortify
Publication date: 2025-09-26
Last updated on: 2025-09-26
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zephyr | project_manager | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The Zephyr Project Manager plugin for WordPress has a Stored Cross-Site Scripting (XSS) vulnerability in its admin settings in all versions up to and including 3.3.202. This occurs because the plugin does not properly sanitize input or escape output, allowing authenticated users with administrator-level permissions or higher to inject malicious web scripts. These scripts execute whenever a user accesses the affected page. This vulnerability specifically affects multi-site installations and installations where the unfiltered_html setting is disabled.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with administrator-level access to inject malicious scripts into the WordPress admin pages. These scripts can execute in the context of other users viewing the injected pages, potentially leading to unauthorized actions, data theft, session hijacking, or other malicious activities. Because it is a stored XSS, the malicious code persists and affects all users who access the compromised pages, increasing the risk and impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves checking for stored cross-site scripting payloads in the admin settings of the Zephyr Project Manager plugin on multi-site WordPress installations where unfiltered_html is disabled. Since the vulnerability requires administrator-level access, detection can include reviewing admin settings pages for suspicious scripts or payloads. Additionally, monitoring REST API calls to 'zephyr_project_manager/v1' endpoints for unusual or malformed input could help identify exploitation attempts. Specific commands are not provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Zephyr Project Manager plugin to a version that includes the patch addressing input validation and permission checks in the REST API, as described in the changeset 3366388. Ensuring that only trusted administrators have access to the plugin settings and enabling strict input validation and permission verification will reduce risk. Also, verify that the REST API endpoints properly validate parameters and authenticate users to prevent injection attacks. [1]