Refine your search
2 vulnerabilities found for CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x by villatheme
CVE-2024-13487 (GCVE-0-2024-13487)
Vulnerability from cvelistv5
Published
2025-02-06 06:53
Modified
2026-04-08 17:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
The The CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution via the get_products_price() function in all versions up to, and including, 2.2.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| villatheme | CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x |
Version: 0 ≤ 2.2.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13487",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T14:31:03.556149Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T18:14:10.170Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CURCY \u2013 Multi Currency for WooCommerce \u2013 Smoothly on WooCommerce 9.x",
"vendor": "villatheme",
"versions": [
{
"lessThanOrEqual": "2.2.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Mazzolini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The The CURCY \u2013 Multi Currency for WooCommerce \u2013 The best free currency exchange plugin \u2013 Run smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution via the get_products_price() function in all versions up to, and including, 2.2.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:26:17.368Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d630dd85-0169-4582-a8ae-54e5053425ac?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-multi-currency/trunk/frontend/cache.php#L60"
},
{
"url": "https://wordpress.org/plugins/woo-multi-currency/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3234505/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-05T18:44:02.000Z",
"value": "Disclosed"
}
],
"title": "CURCY \u2013 Multi Currency for WooCommerce \u003c= 2.2.5 - Unauthenticated Arbitrary Shortcode Execution via get_products_price Function"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13487",
"datePublished": "2025-02-06T06:53:40.819Z",
"dateReserved": "2025-01-16T19:08:17.265Z",
"dateUpdated": "2026-04-08T17:26:17.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-4376 (GCVE-0-2021-4376)
Vulnerability from cvelistv5
Published
2023-06-07 01:51
Modified
2026-04-08 17:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| villatheme | CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x |
Version: 0 ≤ 2.1.17 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:23:10.719Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8a490c6-14c1-4c71-b44c-1e362cc892a8?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/480125bc-bab3-45b8-9325-a4d406655a61"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/woo-multi-currency/#developers"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2734576%40woo-multi-currency\u0026new=2734576%40woo-multi-currency\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-4376",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T23:26:59.952955Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T23:50:01.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CURCY \u2013 Multi Currency for WooCommerce \u2013 Smoothly on WooCommerce 9.x",
"vendor": "villatheme",
"versions": [
{
"lessThanOrEqual": "2.1.17",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jerome Bruandet"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:26:55.408Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8a490c6-14c1-4c71-b44c-1e362cc892a8?source=cve"
},
{
"url": "https://wpscan.com/vulnerability/480125bc-bab3-45b8-9325-a4d406655a61"
},
{
"url": "https://wordpress.org/plugins/woo-multi-currency/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2734576%40woo-multi-currency\u0026new=2734576%40woo-multi-currency\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2021-09-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WooCommerce Multi Currency \u003c= 2.1.17 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2021-4376",
"datePublished": "2023-06-07T01:51:46.083Z",
"dateReserved": "2023-06-06T13:20:38.952Z",
"dateUpdated": "2026-04-08T17:26:55.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}