Vulnerabilities > NI Woocommerce Custom Order Status Project > NI Woocommerce Custom Order Status > 1.1

DATE	CVE	VULNERABILITY TITLE	RISK
2021-12-21	CVE-2021-24846	SQL Injection vulnerability in NI Woocommerce Custom Order Status Project NI Woocommerce Custom Order Status The get_query() function of the Ni WooCommerce Custom Order Status WordPress plugin before 1.9.7, used by the niwoocos_ajax AJAX action, available to all authenticated users, does not properly sanitise the sort parameter before using it in a SQL statement, leading to an SQL injection, exploitable by any authenticated users, such as subscriber network low complexity ni-woocommerce-custom-order-status-project CWE-89	6.5

CVE is a registered MITRE Corporation trademark and MITRE's CVE website is the authoritative source of CVE content. CWE is a registered MITRE Corporation trademark and MITRE's CWE website is the authoritative source of CWE content.