The Daily Prayer Time plugin for WordPress is vulnerable to SQL Injection via the 'max_word' attribute of the 'quran_verse' shortcode in all versions up to, and including, 2024.08.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Metrics
Affected Vendors & Products
References
History
Wed, 25 Sep 2024 14:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
First Time appeared |
Mmrs151
Mmrs151 daily Prayer Time |
|
CPEs | cpe:2.3:a:mmrs151:daily_prayer_time:*:*:*:*:*:wordpress:*:* | |
Vendors & Products |
Mmrs151
Mmrs151 daily Prayer Time |
|
Metrics |
ssvc
|
Wed, 25 Sep 2024 02:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | The Daily Prayer Time plugin for WordPress is vulnerable to SQL Injection via the 'max_word' attribute of the 'quran_verse' shortcode in all versions up to, and including, 2024.08.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | |
Title | Daily Prayer Time <= 2024.08.26 - Authenticated (Contributor+) SQL Injection | |
Weaknesses | CWE-89 | |
References |
| |
Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: Wordfence
Published: 2024-09-25T02:05:17.822Z
Updated: 2024-09-25T13:45:29.941Z
Reserved: 2024-09-09T19:44:56.186Z
Link: CVE-2024-8621
Vulnrichment
Updated: 2024-09-25T13:45:23.990Z
NVD
Status : Analyzed
Published: 2024-09-25T03:15:05.600
Modified: 2024-10-02T16:10:27.313
Link: CVE-2024-8621
Redhat
No data.