Main Vulnerability Database SB2019110404

SB2019110404 - Security restriction bypass in Currency Switcher for WooCommerce plugin for WordPress

Published: November 4, 2019 Updated: November 4, 2019

Security Bulletin ID SB2019110404

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Input validation error (CVE-ID: CVE-2019-18668)

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input. A remote authenticated attacker can provide a currency that isn't enabled in the settings and is worth less than this default and eventually purchase an item for a significantly cheaper price.

Remediation

Install update from vendor's website.

References

https://wordpress.org/plugins/currency-switcher-woocommerce/#developers
https://www.infigo.hr/en/critical-vulnerability-in-currency-switcher-for-woocommerce-n61