Description
The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections
References
ExploitThird Party AdvisoryVDB Entry
https://wpscan.com/vulnerability/13d8be88-c3b7-4d6e-9792-c98b801ba53c
ExploitPatchThird Party Advisory
CVSS impact metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 · Critical
CVSS V3.1
CVSS V3.0
CVSS V2.0
Information
Source identifier
Vulnerability status
Analyzed
Published
2022-09-19T14:15:11.000
2 years agoLast modified
2024-09-03T13:24:12.813
10 months ago