{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10490", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-15T15:23:44.983Z", "datePublished": "2025-09-26T06:43:29.951Z", "dateUpdated": "2026-04-08T17:35:03.672Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:35:03.672Z"}, "affected": [{"vendor": "dylanjkotze", "product": "Zephyr Project Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.3.202", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.3.202 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "title": "Zephyr Project Manager <= 3.3.202 - Authenticated (Admin+) Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fdf68c19-ee1b-4d0a-876b-c061763b39c3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3366388%40zephyr-project-manager&new=3366388%40zephyr-project-manager&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "baseScore": 4.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Aur\u00e9lien BOURDOIS"}], "timeline": [{"time": "2025-09-16T11:17:13.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-25T17:41:11.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-26T19:53:05.476076Z", "id": "CVE-2025-10490", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-26T19:53:18.971Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10490", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-26T19:53:05.476076Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-26T19:53:13.887Z"}}], "cna": {"title": "Zephyr Project Manager <= 3.3.202 - Authenticated (Admin+) Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Aur\u00e9lien BOURDOIS"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "dylanjkotze", "product": "Zephyr Project Manager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.3.202"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-16T11:17:13.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-25T17:41:11.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fdf68c19-ee1b-4d0a-876b-c061763b39c3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3366388%40zephyr-project-manager&new=3366388%40zephyr-project-manager&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.3.202 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:35:03.672Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10490", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:35:03.672Z", "dateReserved": "2025-09-15T15:23:44.983Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-26T06:43:29.951Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Zephyr Project Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 3.3.202 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."}], "id": "CVE-2025-10490", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-26T07:15:41.007", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3366388%40zephyr-project-manager&new=3366388%40zephyr-project-manager&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fdf68c19-ee1b-4d0a-876b-c061763b39c3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T19:00:02.818825+00:00", "value": {"mitigation_remediation": ["Obtain and install the latest version of the Zephyr Project Manager plugin, which removes the vulnerability.", "Disable the Zephyr Project Manager plugin or restrict its use until the patch is applied to prevent accidental exploitation.", "Configure a site\u2011wide Content Security Policy that blocks inline scripts and restricts script sources to trusted origins, mitigating XSS risk."], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting (XSS) that can execute arbitrary scripts in the browser of any user who views an affected page, potentially allowing session hijacking, defacement, or data theft"}, "threat_synthesis": {"affected_systems": "Zephyr Project Manager plugin for WordPress, versions up to and including 3.3.202. The flaw is limited to multi\u2011site WordPress installations where the unfiltered_html capability is disabled. All other product variants, newer plugin releases, or single\u2011site environments are not affected.", "description_and_impact": "The vulnerability resides in the Zephyr Project Manager for WordPress, where configuration values entered by administrators are stored without proper sanitization or escaping. An attacker who can log in with administrator or higher privileges can inject malicious JavaScript into admin settings. When any user loads a page that uses those settings, the injected code runs in the visitor\u2019s browser. The impact is the compromise of confidentiality and integrity for users who view the affected page, but does not affect the underlying server state or database directly. The weakness is a classic stored XSS flaw (CWE\u201179).", "risk_and_exploitability": "The CVSS score of 4.4 indicates a medium risk, and the EPSS score of less than 1% shows a very low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA\u2019s KEV catalog. Because exploitation requires authentication with administrator privileges, an attacker must first compromise a privileged account or leverage an existing one. However, once authenticated, the attacker can easily inject scripts that will run for every visitor when the page is accessed, giving an opportunity for shortcut attacks such as phishing or cookie theft. Given the low public visibility and the need for privileged access, the risk is moderate but still actionable."}}}}, "created": "2025-09-29T09:31:26.870071+00:00", "updated": "2026-04-21T19:00:36.145547+00:00", "vendors": ["dylanjkotze", "dylanjkotze$PRODUCT$zephyr_project_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}