VillaTheme CURCY - Multi Currency for WooCommerce
Moderate fix1 remedy
cpe:2.3:a:villatheme:curcy_-_woocommerce_multi_currency_-_currency_switcher:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 2.2.5
CURCY WooCommerce Multi-Currency Plugin Unauthenticated Shortcode Execution Vulnerability
Vulnerability
Patched
A vulnerability exists in the CURCY - Multi Currency for WooCommerce plugin, specifically in versions through 2.2.5. The issue allows unauthenticated users to execute arbitrary shortcodes via the get_products_price() function. This vulnerability arises because the plugin fails to properly validate values before processing shortcodes, enabling unauthorized shortcode execution.
Impact
Exploitation of this vulnerability allows for arbitrary shortcode execution, which could be used to manipulate content or functionality on the WordPress site.
Reproduction
The vulnerability can be reproduced by sending a request to the 'wp_ajax_nopriv_wmc_get_products_price' action with a 'shortcodes' parameter. The 'shortcodes' parameter can include any shortcode, which will be executed by the WordPress site.
Remediation
Users are advised to update the CURCY - Multi Currency for WooCommerce plugin to version 2.2.6 or later.
Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
1.3exploitability
8.6remediation
7.7relevance
0.0threat
4.8urgency
2.9incentive
5.8Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.