VYPR
Unrated severityNVD Advisory· Published Dec 21, 2021· Updated Aug 3, 2024

Ni WooCommerce Custom Order Status < 1.9.7 - Subscriber+ SQL Injection

CVE-2021-24846

Description

The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2

Patches

Vulnerability mechanics

References

1

News mentions

0

No linked articles in our index yet.