CVE-2021-24846

CVE-2021-24846: Ni WooCommerce Custom Order Status < 1.9.7 - Subscriber+ SQL Injection

Vendor Unknown
Product Ni WooCommerce Custom Order Status
Weakness CWE-89 · SQLi
Published December 21, 2021
Last update August 3, 2024

CVSS base score

What the vulnerability does

01Description

The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber

Key dates

02Disclosure timeline

December 21, 2021 CVE published
August 3, 2024 Record updated