CVE-2022-0785
Published: 18 April 2022
Summary
CVE-2022-0785 is a critical-severity SQL Injection (CWE-89) vulnerability in Daily Prayer Time Project Daily Prayer Time. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 1.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The Daily Prayer Time WordPress plugin before version 2022.03.01 contains an unauthenticated SQL injection vulnerability tracked as CVE-2022-0785. The flaw stems from missing sanitization and escaping of the month parameter when it is processed in a SQL statement inside the get_monthly_timetable AJAX action, which is exposed to unauthenticated callers and is classified under CWE-89 with a CVSS 3.1 score of 9.8.
An attacker with no credentials can invoke the AJAX endpoint and supply a crafted month value to inject arbitrary SQL, resulting in the ability to read, modify, or delete database contents and potentially achieve full site compromise. The EPSS score for this issue stands at 0.7035.
WPScan lists the vulnerability and notes that the plugin author addressed it in release 2022.03.01. No further mitigation details are supplied in the available references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-15837
Vulnerability details
The Daily Prayer Time WordPress plugin before 2022.03.01 does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.