1. Home
  2. CVE Database
  3. CVE-2021-24846
HIGH · 8.8

CVE-2021-24846

The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitis...

Vulnerability Description

The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH

Affected Products

VendorProductVersions
Ni Woocommerce Custom Order Status ProjectNi Woocommerce Custom Order Status< 1.9.7

Related Weaknesses (CWE)

CWE-89

References

FAQ

What is CVE-2021-24846?

CVE-2021-24846 is a vulnerability with a CVSS score of 8.8 (HIGH). The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitis...

How severe is CVE-2021-24846?

CVE-2021-24846 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2021-24846?

Check the references section above for vendor advisories and patch information. Affected products include: Ni Woocommerce Custom Order Status Project Ni Woocommerce Custom Order Status.