Which Zephyr Project Manager CVEs are tracked?

Zephyr Project Manager tracked CVEs include CVE-2022-2840, CVE-2024-37484, CVE-2024-7624, CVE-2022-2839, and CVE-2024-7356.

How many Zephyr Project Manager vulnerabilities have patch guidance?

20 of 20 tracked Zephyr Project Manager records include a published patch path.

Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 20 known issues Latest disclosed Dec 16, 2025

Zephyr Project Manager Vulnerabilities

Review known vulnerability records for the WordPress plugin Zephyr Project Manager (`zephyr-project-manager`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2025-12496, CVE-2025-10490 and CVE-2025-54714, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

Dec 17, 2025

Priority CVE Quick Links

Fast paths into Zephyr Project Manager CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

CVE-2022-2840 Critical 3.2.5

CVE-2022-2840 Zephyr Project Manager SQL Injection

Zephyr Project Manager <= 3.2.42 - Unauthenticated SQL Injection

CVE-2024-37484 High 3.3.99

CVE-2024-37484 Zephyr Project Manager Privilege Escalation

Zephyr Project Manager <= 3.3.97 - Authenticated (Subscriber+) Privilege Escalation via User Meta Update

CVE-2024-7624 High 3.3.102

CVE-2024-7624 Zephyr Project Manager Privilege Escalation

Zephyr Project Manager <= 3.3.101 - Authenticated (Subscriber+) Limited Privilege Escalation

CVE-2022-2839 High 3.2.55

CVE-2022-2839 Zephyr Project Manager Stored Cross-Site Scripting

Zephyr Project Manager < 3.2.55 - Missing Authorization to Cross-Site Scripting

CVE-2024-7356 Medium 3.3.101

CVE-2024-7356 Zephyr Project Manager Stored Cross-Site Scripting

Zephyr Project Manager <= 3.3.100 - Authenticated (Subscriber+) Stored Cross-Site Scripting via filename Parameter

CVE-2025-32526 Medium 3.3.102

CVE-2025-32526 Zephyr Project Manager Cross-Site Scripting

Zephyr Project Manager <= 3.3.101 - Reflected Cross-Site Scripting

CVE-2022-1822 Medium 3.2.41

CVE-2022-1822 Zephyr Project Manager Cross-Site Scripting

Zephyr Project Manager <= 3.2.40 - Reflected Cross-Site Scripting

CVE-2024-43915 Medium 3.3.103

CVE-2024-43915 Zephyr Project Manager Cross-Site Scripting

Zephyr Project Manager <= 3.3.102 - Reflected Cross-Site Scripting

Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for Zephyr Project Manager so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

20 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

1 critical and 4 high severity findings.

Recent CVEs

CVE-2025-12496, CVE-2025-10490 and CVE-2025-54714

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2025-12496 Medium Patch path listed

CVE-2025-12496: Zephyr Project Manager <= 3.3.203 - Authenticated (Custom+) Arbitrary File Read And Server-Side Request Forgery

The Zephyr Project Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.203 via the `file` parameter. This makes it possible for authen...

Published

Dec 16, 2025

Patch Status

3.3.204

Open CVE-2025-12496 Report

CVE-2025-10490 Medium Patch path listed

CVE-2025-10490: Zephyr Project Manager <= 3.3.202 - Authenticated (Admin+) Stored Cross-Site Scripting

The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.3.202 due to insufficient input saniti...

Published

Sep 25, 2025

Patch Status

3.3.203

Open CVE-2025-10490 Report

CVE-2025-54714 Medium Patch path listed

CVE-2025-54714: Zephyr Project Manager <= 3.3.201 - Missing Authorization

The Zephyr Project Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.3.201. This makes...

Published

Aug 26, 2025

Patch Status

3.3.202

Open CVE-2025-54714 Report

Known Vulnerabilities

Reports for Zephyr Project Manager

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2025-12496

CVE-2025-12496: Zephyr Project Manager <= 3.3.203 - Authenticated (Custom+) Arbitrary File Read And Server-Side Request Forgery

The Zephyr Project Manager plugin for WordPress is vulnerable to Directory Traversal in all versions up to, and including, 3.3.203 via the `file` parameter. This makes it possible for authenticated attackers, with Custom-level access and above, to read the contents of arbitrary f...

Published

Dec 16, 2025

Patched Release

3.3.204

Affected Versions

Versions up to 3.3.203

Next Step

Update to 3.3.204 or newer if supported.

Open CVE-2025-12496 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-10490

CVE-2025-10490: Zephyr Project Manager <= 3.3.202 - Authenticated (Admin+) Stored Cross-Site Scripting

The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.3.202 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with admin...

Published

Sep 25, 2025

Patched Release

3.3.203

Affected Versions

Versions up to 3.3.202

Next Step

Update to 3.3.203 or newer if supported.

Open CVE-2025-10490 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-54714

CVE-2025-54714: Zephyr Project Manager <= 3.3.201 - Missing Authorization

The Zephyr Project Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.3.201. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perfo...

Published

Aug 26, 2025

Patched Release

3.3.202

Affected Versions

Versions up to 3.3.201

Next Step

Update to 3.3.202 or newer if supported.

Open CVE-2025-54714 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-39552

CVE-2025-39552: Zephyr Project Manager <= 3.3.200 - Missing Authorization

The Zephyr Project Manager plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.3.200. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perfo...

Published

Apr 16, 2025

Patched Release

3.3.201

Affected Versions

Versions up to 3.3.200

Next Step

Update to 3.3.201 or newer if supported.

Open CVE-2025-39552 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2025-32526

CVE-2025-32526: Zephyr Project Manager <= 3.3.101 - Reflected Cross-Site Scripting

The Zephyr Project Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 3.3.101 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web s...

Published

Apr 10, 2025

Patched Release

3.3.102

Affected Versions

Versions up to 3.3.101

Next Step

Update to 3.3.102 or newer if supported.

Open CVE-2025-32526 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-43915

CVE-2024-43915: Zephyr Project Manager <= 3.3.102 - Reflected Cross-Site Scripting

The Zephyr Project Manager plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 3.3.102 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web s...

Published

Aug 20, 2024

Patched Release

3.3.103

Affected Versions

Versions up to 3.3.102

Next Step

Update to 3.3.103 or newer if supported.

Open CVE-2024-43915 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-43916

CVE-2024-43916: Zephyr Project Manager <= 3.3.102 - Missing Authorization to Authenticated (Subscriber+) Status Updates

The Zephyr Project Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the via the 'create_status‘, ‘update_status‘, and ‘delete_status‘ functions in all versions up to, and including, 3.3.102. This makes it possibl...

Published

Aug 20, 2024

Patched Release

3.3.103

Affected Versions

Versions up to 3.3.102

Next Step

Update to 3.3.103 or newer if supported.

Open CVE-2024-43916 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-43322

CVE-2024-43322: Zephyr Project Manager <= 3.3.100 - Authenticated (Subscriber+) Insecure Direct Object Reference

The Zephyr Project Manager plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.3.100 via the updateTaskStatus() due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to e...

Published

Aug 16, 2024

Patched Release

3.3.101

Affected Versions

Versions up to 3.3.100

Next Step

Update to 3.3.101 or newer if supported.

Open CVE-2024-43322 Report Open CVE Reference

Plugin High Patched: Yes CVE-2024-7624

CVE-2024-7624: Zephyr Project Manager <= 3.3.101 - Authenticated (Subscriber+) Limited Privilege Escalation

The Zephyr Project Manager plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 3.3.101. This is due to the plugin not properly checking a users capabilities before allowing them to enable access to the plugin's settings through...

Published

Aug 14, 2024

Patched Release

3.3.102

Affected Versions

Versions up to 3.3.101

Next Step

Update to 3.3.102 or newer if supported.

Open CVE-2024-7624 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-7356

CVE-2024-7356: Zephyr Project Manager <= 3.3.100 - Authenticated (Subscriber+) Stored Cross-Site Scripting via filename Parameter

The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘filename’ parameter in all versions up to, and including, 3.3.100 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers,...

Published

Aug 02, 2024

Patched Release

3.3.101

Affected Versions

Versions up to 3.3.100

Next Step

Update to 3.3.101 or newer if supported.

Open CVE-2024-7356 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-38761

CVE-2024-38761: Zephyr Project Manager <= 3.3.99 - Unauthenticated Information Exposure

The Zephyr Project Manager plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.3.99 through publicly exposed log files. This makes it possible for unauthenticated attackers to view potentially sensitive information containe...

Published

Jul 12, 2024

Patched Release

3.3.100

Affected Versions

Versions up to 3.3.99

Next Step

Update to 3.3.100 or newer if supported.

Open CVE-2024-38761 Report Open CVE Reference

Plugin Medium Patched: Yes CVE-2024-6536

CVE-2024-6536: Zephyr Project Manager <= 3.3.97 - Authenticated (Editor+) Stored Cross-Site Scripting

The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 3.3.97 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with editor-level...

Published

Jul 09, 2024

Patched Release

3.3.99

Affected Versions

Versions up to 3.3.97

Next Step

Update to 3.3.99 or newer if supported.

Open CVE-2024-6536 Report Open CVE Reference