QwikSec

Security Database

CVE

CWE

Training

CVE-2021-24846

Published: Dec 21, 2021

Modified: Aug 3, 2024

PUBLISHED

Description

The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber

Vendor	Product	Versions
Unknown	Ni WooCommerce Custom Order Status	affected `1.9.7 - < 1.9.7`

Weaknesses (CWE)

References

https://wpscan.com/vulnerability/a1e7cd2b-8400-4c5d-8b47-a8ccd1e21675

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.