CVE-2021-24402

Severity CVSS v4.0:
Pending analysis
Type:
CWE-89 SQL Injection
Publication date:
20/09/2021
Last modified:
29/09/2021

Description

The Orders functionality in the WP iCommerce WordPress plugin through 1.1.1 has an `order_id` parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:solvercircle:wp_icommerce:*:*:*:*:*:wordpress:*:* 1.1.1 (including)