CVE-2024-7624: CWE-285 Improper Authorization in dylanjkotze Zephyr Project Manager
The Zephyr Project Manager plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 3.3.101. This is due to the plugin not properly checking a users capabilities before allowing them to enable access to the plugin's settings through the update_user_access() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to grant themselves full access to the plugin's settings.
AI Analysis
Technical Summary
The Zephyr Project Manager plugin for WordPress suffers from improper authorization (CWE-285) in all versions up to 3.3.101. The vulnerability arises because the plugin does not correctly verify user capabilities before allowing access to modify plugin settings via the update_user_access() function. Authenticated users with subscriber-level privileges or higher can exploit this to escalate their privileges to full administrative control over the plugin settings. This vulnerability is network exploitable without user interaction and impacts confidentiality and integrity with high severity.
Potential Impact
An attacker with authenticated subscriber-level access can escalate privileges to gain full control over the Zephyr Project Manager plugin settings. This can lead to unauthorized changes in project management configurations, potentially affecting the confidentiality and integrity of project data managed through the plugin. There is no indication of impact on availability. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict subscriber-level user access where possible and monitor for unusual privilege escalations related to the plugin. Avoid granting unnecessary user roles that could exploit this vulnerability.
CVE-2024-7624: CWE-285 Improper Authorization in dylanjkotze Zephyr Project Manager
Description
The Zephyr Project Manager plugin for WordPress is vulnerable to limited privilege escalation in all versions up to, and including, 3.3.101. This is due to the plugin not properly checking a users capabilities before allowing them to enable access to the plugin's settings through the update_user_access() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to grant themselves full access to the plugin's settings.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Zephyr Project Manager plugin for WordPress suffers from improper authorization (CWE-285) in all versions up to 3.3.101. The vulnerability arises because the plugin does not correctly verify user capabilities before allowing access to modify plugin settings via the update_user_access() function. Authenticated users with subscriber-level privileges or higher can exploit this to escalate their privileges to full administrative control over the plugin settings. This vulnerability is network exploitable without user interaction and impacts confidentiality and integrity with high severity.
Potential Impact
An attacker with authenticated subscriber-level access can escalate privileges to gain full control over the Zephyr Project Manager plugin settings. This can lead to unauthorized changes in project management configurations, potentially affecting the confidentiality and integrity of project data managed through the plugin. There is no indication of impact on availability. No known exploits in the wild have been reported at this time.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict subscriber-level user access where possible and monitor for unusual privilege escalations related to the plugin. Avoid granting unnecessary user roles that could exploit this vulnerability.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-08-08T18:14:38.485Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6c1cb7ef31ef0b56002f
Added to database: 2/25/2026, 9:39:40 PM
Last enriched: 4/9/2026, 8:20:17 AM
Last updated: 4/12/2026, 8:39:24 AM
Views: 9
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.