CVE-2022-2840

CRITICAL

Zephyr Project Manager <3.2.5 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-2840. PoCs published by Rizacan Tufan.

AI-analyzed exploit summary This exploit demonstrates multiple SQL injection vulnerabilities in the WordPress Zephyr Project Manager plugin (version 3.2.42). It includes payloads for boolean-based blind, time-based blind, and UNION-based SQLi attacks on various endpoints.

Description

The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections

Exploits (1)

exploitdb WORKING POC VERIFIED
by Rizacan Tufan · textwebappsphp
https://www.exploit-db.com/exploits/51024

This exploit demonstrates multiple SQL injection vulnerabilities in the WordPress Zephyr Project Manager plugin (version 3.2.42). It includes payloads for boolean-based blind, time-based blind, and UNION-based SQLi attacks on various endpoints.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: WordPress Plugin Zephyr Project Manager 3.2.42
Auth required
Prerequisites: Authenticated access to WordPress admin panel · Valid nonce value
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0961
EPSS Percentile 94.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
zephyr-one/zephyr_project_manager < 3.2.5
Published Sep 19, 2022
Tracked Since Feb 18, 2026