Arbitrary Shortcode Execution Vulnerability in CURCY – Multi Currency for WooCommerce Plugin

CVE-2024-13487

What is CVE-2024-13487?

CVE-2024-13487 is a vulnerability found in the CURCY Multi Currency for WooCommerce Plugin, developed by Villatheme. This plugin, used for facilitating multi-currency transactions on the WooCommerce platform within WordPress, has a security flaw that allows arbitrary shortcode execution. The vulnerability arises from the plugin's failure to properly validate inputs within its functionality, specifically via the get_products_price() function. As a result, unauthenticated attackers could exploit this flaw, potentially leading to severe negative repercussions for organizations relying on this plugin for their eCommerce operations.

Technical Details

The vulnerability is present in all versions of CURCY Multi Currency for WooCommerce Plugin up to and including version 2.2.5. It allows attackers to execute arbitrary shortcodes due to inadequate input validation before executing the do_shortcode function. This oversight means that malicious users can run predefined shortcodes with potentially harmful effects without needing authentication.

Potential Impact of CVE-2024-13487

1. Unauthorized Code Execution: Attackers may execute arbitrary code on the WordPress site, leading to unauthorized access to sensitive data or system controls.

2. Data Breach Risks: Exploitation of this vulnerability could facilitate data breaches, as attackers could extract personal and financial information from the affected eCommerce platform.

3. Service Disruption: Malicious actions resulting from exploiting this vulnerability could lead to service downtime or degradation, affecting the business's operational integrity and customer trust.

References