WordPress Plugin Vulnerabilities

Homepage Product Organizer for WooCommerce <= 1.1 - Subscriber+ SQLi

Description

The plugin does not properly sanitise and escape some parameters before using them in SQL statements, leading to SQL injection exploitable by any authenticated users (such as subscriber)

Affects Plugins

Plugin icon
homepage-product-organizer-for-woocommerce
No known fix

References

CVE
CVE-2022-30998

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.6 (high)

Miscellaneous

Original Researcher
Lenon Leite
Verified
No
WPVDB ID
090f3b91-0225-4b4e-ae43-3ed3256fad21

Timeline

Publicly Published
2022-07-22 (about 3 years ago)
Added
2022-07-25 (about 3 years ago)
Last Updated
2022-08-25 (about 3 years ago)

Other

Published
Title
Published
2024-05-23
Title
Search & Replace < 3.2.2 - Admin+ SQL injection
Published
2025-06-03
Title
Product Filter Pro < 2.9.6 - Unauthenticated SQL Injection
Published
2023-03-22
Title
Gift Voucher < 4.3.3 - Subscriber+ SQLi
Published
2023-07-03
Title
User Activity Log < 1.6.3 - Admin+ SQL Injection
Published
2021-11-22
Title
Ni WooCommerce Custom Order Status < 1.9.7 - Subscriber+ SQL Injection