4 matches found
Sql injection
The Orders functionality in the WP iCommerce WordPress plugin through 1.1.1 has an orderid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors...
Sql injection
The Orders functionality in the WordPress Page Contact plugin through 1.0 has an orderid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors...
CVE-2021-24402 WP iCommerce <= 1.1.1 - Authenticated (contributor+) SQL Injection
The Orders functionality in the WP iCommerce WordPress plugin through 1.1.1 has an orderid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors...
WordPress Page Contact <= 1.0 - Authenticated (editor+) SQL Injection
The Orders functionality in the plugin has an orderid parameter which is not sanitised, escaped or validated before inserting to a SQL statement, leading to SQL injection. The feature is available to low privilege users such as contributors PoC POST /wp-admin/admin.php?page=wpagecontact-plugin...