{"dataType": "CVE_RECORD", "dataVersion": "5.0", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2022-2840", "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "assignerShortName": "WPScan", "dateUpdated": "2022-10-07T00:00:00", "dateReserved": "2022-08-16T00:00:00", "datePublished": "2022-09-19T00:00:00"}, "containers": {"cna": {"title": "Zephyr Project Manager < 3.2.5 - Multiple Unauthenticated SQLi", "providerMetadata": {"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81", "shortName": "WPScan", "dateUpdated": "2022-10-07T00:00:00"}, "descriptions": [{"lang": "en", "value": "The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections"}], "affected": [{"vendor": "Unknown", "product": "Zephyr Project Manager", "versions": [{"version": "3.2.5", "status": "affected", "lessThan": "3.2.5", "versionType": "custom"}]}], "references": [{"url": "https://wpscan.com/vulnerability/13d8be88-c3b7-4d6e-9792-c98b801ba53c"}, {"url": "http://packetstormsecurity.com/files/168652/WordPress-Zephyr-Project-Manager-3.2.42-SQL-Injection.html"}], "credits": [{"lang": "en", "value": "Rizacan TUFAN"}], "problemTypes": [{"descriptions": [{"type": "CWE", "description": "CWE-89 SQL Injection", "cweId": "CWE-89", "lang": "en"}]}], "x_generator": "WPScan CVE Generator", "source": {"discovery": "EXTERNAL"}}}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:zephyr_project_manager_project:zephyr_project_manager:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "AB27329A-C755-4E4C-958F-F9F6DB4EA0DA", "versionEndExcluding": "3.2.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections"}, {"lang": "es", "value": "El plugin Zephyr Project Manager de WordPress versiones anteriores a 3.2.5, no sanea ni escapa de varios par\u00e1metros antes de usarlos en sentencias SQL por medio de varias acciones AJAX disponibles para usuarios autenticados y no autenticados, conllevando a inyecciones SQL"}], "id": "CVE-2022-2840", "lastModified": "2022-12-03T02:40:56.700", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2022-09-19T14:15:11.000", "references": [{"source": "contact@wpscan.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "http://packetstormsecurity.com/files/168652/WordPress-Zephyr-Project-Manager-3.2.42-SQL-Injection.html"}, {"source": "contact@wpscan.com", "tags": ["Exploit", "Patch", "Third Party Advisory"], "url": "https://wpscan.com/vulnerability/13d8be88-c3b7-4d6e-9792-c98b801ba53c"}], "sourceIdentifier": "contact@wpscan.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-89"}], "source": "contact@wpscan.com", "type": "Secondary"}]}

{}