CVE-2024-7624

HIGH EPSS 32.0%

Published Aug 15, 20241y ago · Modified Jun 17, 20261w ago

8.1 CVSS 3.1

High

Published Aug 15, 2024 1y ago

Last Modified Jun 17, 2026 1w ago

Description

The Zephyr Project Manager plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 3.3.101. This is due to the plugin not properly checking a users capabilities before allowing them to enable access to the plugin's settings through the update_user_access() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to grant themselves full access to the plugin's settings.

CVSS Details

Base Score

8.1

Exploitability

2.8

Impact

5.2

Vector string

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector Network

Attack Complexity Low

Privileges Required Low

User Interaction None

Scope Unchanged

Confidentiality High

Integrity High

Availability None

Threat Intelligence

EPSS Exploit Probability

32.0% percentile

Exploit & Patch Status

No Known Exploit

Patch Available

Weaknesses 2

CWE-285

CWE-863 Incorrect Authorization Authorization

Affected Products 1

Vendor	Product	Version	Range
zephyr-one	zephyr_project_manager	*	<3.3.102

References 3

plugins.trac.wordpress.org https://plugins.trac.wordpress.org/browser/zephyr-project-manager/trunk/includes/Base/AjaxHandler.php?rev=3111536#L2464

Product
plugins.trac.wordpress.org https://plugins.trac.wordpress.org/changeset/3134404/

Patch
wordfence.com https://www.wordfence.com/threat-intel/vulnerabilities/id/b9ef344d-cd56-43f9-b185-de83a92800de?source=cve

Third Party Advisory

Remediation

plugins.trac.wordpress.org https://plugins.trac.wordpress.org/changeset/3134404/

Patch