Input validation error in Currency Switcher for WooCommerce

#VU22489 Input validation error in Currency Switcher for WooCommerce

Published: 2019-11-04

Vulnerability identifier: #VU22489

Vulnerability risk: Medium

CVSSv3.1: 4.7 [CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-18668

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Currency Switcher for WooCommerce
Web applications / Modules and components for CMS

Vendor: Algoritmika Ltd

Description

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to insufficient validation of user-supplied input. A remote authenticated attacker can provide a currency that isn't enabled in the settings and is worth less than this default and eventually purchase an item for a significantly cheaper price.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Currency Switcher for WooCommerce: 1.0.0 - 2.11.1

External links
http://wordpress.org/plugins/currency-switcher-woocommerce/#developers
http://www.infigo.hr/en/critical-vulnerability-in-currency-switcher-for-woocommerce-n61

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Security restriction bypass in Currency Switcher for WooCommerce plugin for WordPress