Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities by ni_woocommerce_custom_order_status_project

    CVE-2021-24846 (GCVE-0-2021-24846)

    Vulnerability from cvelistv5 – Published: 2021-12-21 08:45 – Updated: 2024-08-03 19:42
    VLAI
    Title
    Ni WooCommerce Custom Order Status < 1.9.7 - Subscriber+ SQL Injection
    Summary
    The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown Ni WooCommerce Custom Order Status Affected: 1.9.7 , < 1.9.7 (custom)
    Create a notification for this product.
    Credits
    JrXnm
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:42:17.360Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/a1e7cd2b-8400-4c5d-8b47-a8ccd1e21675"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Ni WooCommerce Custom Order Status",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.9.7",
                  "status": "affected",
                  "version": "1.9.7",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "JrXnm"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-21T08:45:31.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/a1e7cd2b-8400-4c5d-8b47-a8ccd1e21675"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Ni WooCommerce Custom Order Status \u003c 1.9.7 - Subscriber+ SQL Injection",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24846",
              "STATE": "PUBLIC",
              "TITLE": "Ni WooCommerce Custom Order Status \u003c 1.9.7 - Subscriber+ SQL Injection"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Ni WooCommerce Custom Order Status",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.9.7",
                                "version_value": "1.9.7"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "JrXnm"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89 SQL Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/a1e7cd2b-8400-4c5d-8b47-a8ccd1e21675",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/a1e7cd2b-8400-4c5d-8b47-a8ccd1e21675"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24846",
        "datePublished": "2021-12-21T08:45:31.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:42:17.360Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2021-24846 (GCVE-0-2021-24846)

    Vulnerability from nvd – Published: 2021-12-21 08:45 – Updated: 2024-08-03 19:42
    VLAI
    Title
    Ni WooCommerce Custom Order Status < 1.9.7 - Subscriber+ SQL Injection
    Summary
    The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber
    Severity
    No CVSS data available.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Unknown Ni WooCommerce Custom Order Status Affected: 1.9.7 , < 1.9.7 (custom)
    Create a notification for this product.
    Credits
    JrXnm
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-03T19:42:17.360Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_refsource_MISC",
                  "x_transferred"
                ],
                "url": "https://wpscan.com/vulnerability/a1e7cd2b-8400-4c5d-8b47-a8ccd1e21675"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "Ni WooCommerce Custom Order Status",
              "vendor": "Unknown",
              "versions": [
                {
                  "lessThan": "1.9.7",
                  "status": "affected",
                  "version": "1.9.7",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "value": "JrXnm"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber"
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2021-12-21T08:45:31.000Z",
            "orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
            "shortName": "WPScan"
          },
          "references": [
            {
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://wpscan.com/vulnerability/a1e7cd2b-8400-4c5d-8b47-a8ccd1e21675"
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "Ni WooCommerce Custom Order Status \u003c 1.9.7 - Subscriber+ SQL Injection",
          "x_generator": "WPScan CVE Generator",
          "x_legacyV4Record": {
            "CVE_data_meta": {
              "ASSIGNER": "contact@wpscan.com",
              "ID": "CVE-2021-24846",
              "STATE": "PUBLIC",
              "TITLE": "Ni WooCommerce Custom Order Status \u003c 1.9.7 - Subscriber+ SQL Injection"
            },
            "affects": {
              "vendor": {
                "vendor_data": [
                  {
                    "product": {
                      "product_data": [
                        {
                          "product_name": "Ni WooCommerce Custom Order Status",
                          "version": {
                            "version_data": [
                              {
                                "version_affected": "\u003c",
                                "version_name": "1.9.7",
                                "version_value": "1.9.7"
                              }
                            ]
                          }
                        }
                      ]
                    },
                    "vendor_name": "Unknown"
                  }
                ]
              }
            },
            "credit": [
              {
                "lang": "eng",
                "value": "JrXnm"
              }
            ],
            "data_format": "MITRE",
            "data_type": "CVE",
            "data_version": "4.0",
            "description": {
              "description_data": [
                {
                  "lang": "eng",
                  "value": "The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber"
                }
              ]
            },
            "generator": "WPScan CVE Generator",
            "problemtype": {
              "problemtype_data": [
                {
                  "description": [
                    {
                      "lang": "eng",
                      "value": "CWE-89 SQL Injection"
                    }
                  ]
                }
              ]
            },
            "references": {
              "reference_data": [
                {
                  "name": "https://wpscan.com/vulnerability/a1e7cd2b-8400-4c5d-8b47-a8ccd1e21675",
                  "refsource": "MISC",
                  "url": "https://wpscan.com/vulnerability/a1e7cd2b-8400-4c5d-8b47-a8ccd1e21675"
                }
              ]
            },
            "source": {
              "discovery": "EXTERNAL"
            }
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
        "assignerShortName": "WPScan",
        "cveId": "CVE-2021-24846",
        "datePublished": "2021-12-21T08:45:31.000Z",
        "dateReserved": "2021-01-14T00:00:00.000Z",
        "dateUpdated": "2024-08-03T19:42:17.360Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }