1 results (0.002 seconds)
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2021-24846 – Ni WooCommerce Custom Order Status < 1.9.7 - Subscriber+ SQL Injection
https://notcve.org/view.php?id=CVE-2021-24846
22 Nov 2021 — The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber La función get_query() del plugin Ni WooCommerce Custom Order Status de WordPress versiones anteriores a 1.9.7, usada por la acción AJAX niwoocos_ajax, disponible para... • https://wpscan.com/vulnerability/a1e7cd2b-8400-4c5d-8b47-a8ccd1e21675 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •