The `ordering_by` query parameter in cp-image-store 1.0.67 is vulnerable to unauthenticated SQL injection. When the plugin is installed and a shortcode is placed on the blog, the respective page can be abused. An unauthenticated attacker may abuse an embedded `[codepeople-image-store]` shortcode and trigger the vulnerability by simply calling the blog post page with an additional malformed `ordering_by` query parameter.