Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager zephyr-project-manager allows Reflected XSS.This issue affects Zephyr Project Manager: from n/a through <= 3.3.101.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Improper neutralization of user input allows an attacker to inject malicious script code into pages that are displayed to other users. The reflected nature of the flaw means the injected payload is echoed back within the same HTTP response, enabling the attacker to craft a URL or form that will execute arbitrary JavaScript in the victim’s browser, potentially leading to credential theft, session hijacking, or defacement.

Affected Systems

The vulnerability exists in the Zephyr Project Manager WordPress plugin, developed by Dylan James, and affects all versions up through 3.3.101. Site owners should verify the plugin version and upgrade if possible.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation, and the vulnerability has not been catalogued in the CISA KEV list. Nonetheless, because reflected XSS can be leveraged from a web page, an attacker with access to any authenticated or unauthenticated vector on the host can deliver payloads via crafted URLs, so the risk remains significant for exposed sites.

Generated by OpenCVE AI on May 2, 2026 at 02:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Zephyr Project Manager to the latest available release, which eliminates the reflected XSS vulnerability.
  • If an update is not immediately possible, disable or remove the Zephyr Project Manager plugin from the WordPress installation to block the vulnerable code path.
  • Implement a content security policy that restricts script sources to self or trusted domains, reducing the impact of any remaining reflected XSS until a patch is applied.

Generated by OpenCVE AI on May 2, 2026 at 02:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11663 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager allows Reflected XSS. This issue affects Zephyr Project Manager: from n/a through 3.3.101.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager allows Reflected XSS. This issue affects Zephyr Project Manager: from n/a through 3.3.101. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager zephyr-project-manager allows Reflected XSS.This issue affects Zephyr Project Manager: from n/a through <= 3.3.101.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

 cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Sat, 12 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00045}

 epss

{'score': 0.00039}

Fri, 11 Jul 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Zephyr-one
Zephyr-one zephyr Project Manager
CPEs cpe:2.3:a:zephyr-one:zephyr_project_manager:*:*:*:*:*:wordpress:*:*
Vendors & Products Zephyr-one
Zephyr-one zephyr Project Manager

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Dylan James Zephyr Project Manager allows Reflected XSS. This issue affects Zephyr Project Manager: from n/a through 3.3.101.
Title WordPress Zephyr Project Manager plugin <= 3.3.101 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Zephyr-one Zephyr Project Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:23.712Z

Reserved: 2025-04-09T11:19:42.423Z

Link: CVE-2025-32526

cve-icon Vulnrichment

Updated: 2025-04-17T18:05:53.563Z

cve-icon NVD

Status : Modified

Published: 2025-04-17T16:15:41.333

Modified: 2026-04-23T15:29:02.727

Link: CVE-2025-32526

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T02:15:31Z

Weaknesses