CVE-2024-13487
Published: 06 February 2025
Description
The The CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution via the get_products_price() function in all versions up to, and including, 2.2.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Security Summary
The CURCY – Multi Currency for WooCommerce plugin for WordPress, in all versions up to and including 2.2.5, contains a vulnerability designated as CVE-2024-13487 that enables arbitrary shortcode execution via the get_products_price() function. The issue stems from insufficient validation of a user-supplied value before it is passed to the do_shortcode() function, allowing malicious shortcodes to be processed and executed.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required, as indicated by the CVSS 3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L). Successful exploitation permits execution of arbitrary shortcodes, potentially resulting in limited impacts to confidentiality, integrity, and availability, classified under CWE-94 (Improper Control of Generation of Code).
Mitigation details are available through plugin references, including the vulnerable code at frontend/cache.php line 60, a patch in changeset 3234505 on the WordPress plugin trac, the developers section of the woo-multi-currency plugin page, and Wordfence threat intelligence advisory. Security practitioners should update to a patched version beyond 2.2.5 to address the flaw.
Details
- CWE(s)