Choose language:
Pratite nas:
back

Critical vulnerability in Currency Switcher for WooCommerce

31.10.2019

During one of our penetration tests we have found a critical security vulnerability in Currency Switcher for WooCommerce

Edit:
Vulnerability got an official CVE-ID - CVE-2019-18668.
 
Original:
Our intrepid researcher Luka Sikic was exploring Currency Switcher a popular plugin for WooCommerce with more than 5000 installations on WordPress. It has features like automatic currency exchange rates updates, prices on per product basis, currency by country...
During one of our latest penetration tests we had a chance to attack a web shop using beforementioned plugin and Luka found a critical vulnerability. To make a long story short, in version 2.11.1 and earlier we could force a currency that isn't enabled in the settings and basically do a conversion in currency that is valued less to get a product for a fraction of a price.
 
We have notified the developer of the plugin, WP Wham, who reacted swiftly and remedied the problem. A new version of the plugin, 2.11.2, is bug free so we urge all users to switch to that one.