The Daily Prayer Time plugin for WordPress is vulnerable to SQL Injection via the 'max_word' attribute of the 'quran_verse' shortcode in all versions up to, and including, 2024.08.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
History

Wed, 25 Sep 2024 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Mmrs151
Mmrs151 daily Prayer Time
CPEs cpe:2.3:a:mmrs151:daily_prayer_time:*:*:*:*:*:wordpress:*:*
Vendors & Products Mmrs151
Mmrs151 daily Prayer Time
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 25 Sep 2024 02:30:00 +0000

Type Values Removed Values Added
Description The Daily Prayer Time plugin for WordPress is vulnerable to SQL Injection via the 'max_word' attribute of the 'quran_verse' shortcode in all versions up to, and including, 2024.08.26 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Daily Prayer Time <= 2024.08.26 - Authenticated (Contributor+) SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.9, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2024-09-25T02:05:17.822Z

Updated: 2024-09-25T13:45:29.941Z

Reserved: 2024-09-09T19:44:56.186Z

Link: CVE-2024-8621

cve-icon Vulnrichment

Updated: 2024-09-25T13:45:23.990Z

cve-icon NVD

Status : Analyzed

Published: 2024-09-25T03:15:05.600

Modified: 2024-10-02T16:10:27.313

Link: CVE-2024-8621

cve-icon Redhat

No data.