CVE-2021-24402

Name of the Vulnerable Software and Affected Versions WP iCommerce WordPress plugin versions 1.1.1 and earlier

Description The Orders functionality in the WP iCommerce WordPress plugin has an order id parameter that is not sanitized, escaped, or validated before being inserted into a SQL statement, leading to SQL injection. This feature is available to low-privilege users, such as contributors.

Recommendations For WP iCommerce WordPress plugin versions 1.1.1 and earlier, consider disabling the Orders functionality until a patch is available to prevent SQL injection attacks. Restrict access to the Orders feature to minimize the risk of exploitation, especially for low-privilege users. Avoid using the order id parameter in the affected SQL statement until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.