CVE-2024-8621

Name of the Vulnerable Software and Affected Versions: Daily Prayer Time plugin for WordPress versions up to, and including, 2024.08.26

Description: The issue arises from insufficient escaping on the user-supplied max word attribute of the quran verse shortcode and lack of sufficient preparation on the existing SQL query. This allows authenticated attackers with Contributor-level access and above to append additional SQL queries into already existing queries, potentially extracting sensitive information from the database.

Recommendations: For versions up to, and including, 2024.08.26, consider disabling the quran verse shortcode until a patch is available to prevent exploitation. Restrict access to the max word attribute in the quran verse shortcode to minimize the risk of SQL Injection attacks. At the moment, there is no information about a newer version that contains a fix for this vulnerability.