CVE-2021-24928

Name of the Vulnerable Software and Affected Versions Rearrange Woocommerce Products WordPress plugin versions prior to 3.0.8

Description The issue is related to improper access controls in the save all order AJAX action and lack of validation and escaping when inserting user data into SQL statements, leading to an SQL injection. This allows any authenticated user to modify arbitrary post content, potentially with an XSS payload, and exfiltrate data by copying it to another post.

Recommendations For versions prior to 3.0.8, update to version 3.0.8 or later to resolve the issue. As a temporary workaround, consider restricting access to the save all order AJAX action to minimize the risk of exploitation.