CVE-2022-2840
Summary
| CVE | CVE-2022-2840 |
|---|---|
| State | PUBLIC |
| Assigner | [email protected] |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2022-09-19 14:15:00 UTC |
| Updated | 2022-12-03 02:40:00 UTC |
| Description | The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections |
Risk And Classification
Problem Types: CWE-89
NVD Known Affected Configurations (CPE 2.3)
| Type | Vendor | Product | Version | Update | Edition | Language |
|---|---|---|---|---|---|---|
| Application | Zephyr Project Manager Project | Zephyr Project Manager | All | All | All | All |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| WordPress Zephyr Project Manager 3.2.42 SQL Injection ≈ Packet Storm | MISC | packetstormsecurity.com | |
| Zephyr Project Manager < 3.2.5 - Multiple Unauthenticated SQLi WordPress Security Vulnerability | MISC | wpscan.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
LEGACY: Rizacan TUFAN
There are currently no legacy QID mappings associated with this CVE.