Arbitrary Short Code Execution Vulnerability in Currency Switcher Professional for WooCommerce
CVE-2024-10640

7.3HIGH

Key Information:

Vendor: Wordpress
Status: Fox – Currency Switcher Professional For WooCommerce
Vendor: CVE Published:; 9 November 2024

What is CVE-2024-10640?

The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress suffers from a vulnerability that allows for arbitrary shortcode execution. This issue affects all versions up to and including 1.4.2.2. The vulnerability arises when the software permits users to execute an action without appropriately validating the input value prior to invoking the do_shortcode function. As a result, attackers, who do not require authentication, are able to exploit this flaw to execute arbitrary shortcodes, potentially compromising the security and functionality of affected WordPress sites.

Affected Version(s)

FOX – Currency Switcher Professional for WooCommerce * <= 1.4.2.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 9, 2024
Vulnerability Reserved
Oct 31, 2024

Credit

Michael Mazzolini