Zephyr Project Manager < 3.2.5 - Multiple Unauthenticated SQLi
CVE-2022-2840

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Zephyr Project Manager
Vendor: CVE Published:; 19 September 2022

Summary

The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections

Affected Version(s)

Zephyr Project Manager 3.2.5

References

https://wpscan.com/vulnerability/13d8be88-c3b7-4d6e-9792-...

http://packetstormsecurity.com/files/168652/WordPress-Zep...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 19, 2022
Vulnerability Reserved
Aug 16, 2022

Credit

Rizacan TUFAN