The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin prior to 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
ni woocommerce custom order status project ni woocommerce custom order status |