cbcvebase.
CVE-2022-0785
published 2022-04-18

CVE-2022-0785: The Daily Prayer Time WordPress plugin before 2022.03.01 does not sanitise and escape the month parameter before using it in a SQL statement via the…

PriorityP181critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
9.21%
94.7th percentile
The Daily Prayer Time WordPress plugin before 2022.03.01 does not sanitise and escape the month parameter before using it in a SQL statement via the get_monthly_timetable AJAX action (available to unauthenticated users), leading to an unauthenticated SQL injection

Affected

1 ranges
VendorProductVersion rangeFixed in
daily_prayer_time_projectdaily_prayer_time< 2022.03.012022.03.01

Detection & IOCsextracted from sources · hover to see the quote

commandget_monthly_timetable
  • Monitor unauthenticated POST/GET requests to wp-admin/admin-ajax.php with action=get_monthly_timetable and a manipulated 'month' parameter containing SQL injection payloads.
  • Fingerprint vulnerable Daily Prayer Time WordPress plugin installations by checking HTTP 200 responses with body containing 'dptTimetable customStyles dptUserStyles'.
  • The vulnerability affects Daily Prayer Time WordPress plugin versions before 2022.03.01; flag any installations running versions <= 2022.03.01.
  • ·The AJAX action is available to unauthenticated users, meaning no authentication is required to trigger the SQL injection — detection rules should not filter out unauthenticated requests.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.