CVE-2024-13320
Published: 07 March 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2024-13320 is a SQL injection vulnerability (CWE-89) in the CURCY - WooCommerce Multi Currency - Currency Switcher plugin for WordPress. It affects all versions up to and including 2.3.6. The issue stems from insufficient escaping of the user-supplied 'wc_filter_price_meta[where]' parameter and lack of sufficient preparation in the existing SQL query, allowing injection of additional SQL.
Unauthenticated attackers can exploit this vulnerability remotely with low attack complexity and no user interaction. Exploitation enables appending malicious SQL queries to existing ones, resulting in extraction of sensitive information from the database. The CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) reflects high confidentiality impact with no integrity or availability disruption.
Advisories including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/6d359a5c-db11-416e-a329-c3ed67b1a925?source=cve and the plugin page at https://codecanyon.net/item/woocommerce-multi-currency/20948446 provide further details on mitigation, with the vulnerability described as present up to version 2.3.6.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in a public-facing WordPress plugin directly enables remote unauthenticated exploitation of T1190: Exploit Public-Facing Application for database data extraction.