CVE-2022-2840

CRITICAL

Zephyr Project Manager <3.2.5 - SQL Injection

Title source: llm

Description

The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections

Exploits (1)

exploitdb WORKING POC VERIFIED

by Rizacan Tufan · textwebappsphp

https://www.exploit-db.com/exploits/51024

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory, VDB Entry] http://packetstormsecurity.com/files/168652/WordPress-Zephyr-Project-Manager-3.2.42-SQL-Injection.html

[Exploit, Patch, Third Party Advisory] https://wpscan.com/vulnerability/13d8be88-c3b7-4d6e-9792-c98b801ba53c

Scores

CVSS v3 9.8

EPSS 0.0385

EPSS Percentile 88.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

zephyr-one/zephyr_project_manager < 3.2.5

Published Sep 19, 2022

Tracked Since Feb 18, 2026