CVE-2021-24928

MEDIUM

Rearrange Woocommerce Products <3.0.8 - SQL Injection

Title source: llm
STIX 2.1

Description

The Rearrange Woocommerce Products WordPress plugin before 3.0.8 does not have proper access controls in the save_all_order AJAX action, nor validation and escaping when inserting user data in SQL statement, leading to an SQL injection, and allowing any authenticated user, such as subscriber, to modify arbitrary post content (for example with an XSS payload), as well as exfiltrate any data by copying it to another post.

References (1)

Core 1
Core References
Exploit, Third Party Advisory x_refsource_misc
https://wpscan.com/vulnerability/3762a77c-b8c9-428f-877c-bbfd7958e7be

Scores

CVSS v3 6.5
EPSS 0.0089
EPSS Percentile 55.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Details

CWE
CWE-89
Status published
Products (1)
rearrange_woocommerce_products_project/rearrange_woocommerce_products < 3.0.8
Published Feb 07, 2022
Tracked Since Feb 18, 2026