Search criteria
4 vulnerabilities found for CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x by villatheme
CVE-2024-13487 (GCVE-0-2024-13487)
Vulnerability from nvd – Published: 2025-02-06 06:53 – Updated: 2026-04-08 17:26
VLAI
Title
CURCY – Multi Currency for WooCommerce <= 2.2.5 - Unauthenticated Arbitrary Shortcode Execution via get_products_price Function
Summary
The The CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution via the get_products_price() function in all versions up to, and including, 2.2.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Severity
7.3 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| villatheme | CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x |
Affected:
0 , ≤ 2.2.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13487",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T14:31:03.556149Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T18:14:10.170Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CURCY \u2013 Multi Currency for WooCommerce \u2013 Smoothly on WooCommerce 9.x",
"vendor": "villatheme",
"versions": [
{
"lessThanOrEqual": "2.2.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Mazzolini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The The CURCY \u2013 Multi Currency for WooCommerce \u2013 The best free currency exchange plugin \u2013 Run smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution via the get_products_price() function in all versions up to, and including, 2.2.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:26:17.368Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d630dd85-0169-4582-a8ae-54e5053425ac?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-multi-currency/trunk/frontend/cache.php#L60"
},
{
"url": "https://wordpress.org/plugins/woo-multi-currency/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3234505/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-05T18:44:02.000Z",
"value": "Disclosed"
}
],
"title": "CURCY \u2013 Multi Currency for WooCommerce \u003c= 2.2.5 - Unauthenticated Arbitrary Shortcode Execution via get_products_price Function"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13487",
"datePublished": "2025-02-06T06:53:40.819Z",
"dateReserved": "2025-01-16T19:08:17.265Z",
"dateUpdated": "2026-04-08T17:26:17.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-4376 (GCVE-0-2021-4376)
Vulnerability from nvd – Published: 2023-06-07 01:51 – Updated: 2026-04-08 17:26
VLAI
Title
WooCommerce Multi Currency <= 2.1.17 - Missing Authorization
Summary
The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value.
Severity
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| villatheme | CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x |
Affected:
0 , ≤ 2.1.17
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:23:10.719Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8a490c6-14c1-4c71-b44c-1e362cc892a8?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/480125bc-bab3-45b8-9325-a4d406655a61"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/woo-multi-currency/#developers"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2734576%40woo-multi-currency\u0026new=2734576%40woo-multi-currency\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-4376",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T23:26:59.952955Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T23:50:01.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CURCY \u2013 Multi Currency for WooCommerce \u2013 Smoothly on WooCommerce 9.x",
"vendor": "villatheme",
"versions": [
{
"lessThanOrEqual": "2.1.17",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jerome Bruandet"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:26:55.408Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8a490c6-14c1-4c71-b44c-1e362cc892a8?source=cve"
},
{
"url": "https://wpscan.com/vulnerability/480125bc-bab3-45b8-9325-a4d406655a61"
},
{
"url": "https://wordpress.org/plugins/woo-multi-currency/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2734576%40woo-multi-currency\u0026new=2734576%40woo-multi-currency\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2021-09-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WooCommerce Multi Currency \u003c= 2.1.17 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2021-4376",
"datePublished": "2023-06-07T01:51:46.083Z",
"dateReserved": "2023-06-06T13:20:38.952Z",
"dateUpdated": "2026-04-08T17:26:55.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-13487 (GCVE-0-2024-13487)
Vulnerability from cvelistv5 – Published: 2025-02-06 06:53 – Updated: 2026-04-08 17:26
VLAI
Title
CURCY – Multi Currency for WooCommerce <= 2.2.5 - Unauthenticated Arbitrary Shortcode Execution via get_products_price Function
Summary
The The CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution via the get_products_price() function in all versions up to, and including, 2.2.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Severity
7.3 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| villatheme | CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x |
Affected:
0 , ≤ 2.2.5
(semver)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13487",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T14:31:03.556149Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-18T18:14:10.170Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CURCY \u2013 Multi Currency for WooCommerce \u2013 Smoothly on WooCommerce 9.x",
"vendor": "villatheme",
"versions": [
{
"lessThanOrEqual": "2.2.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Mazzolini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The The CURCY \u2013 Multi Currency for WooCommerce \u2013 The best free currency exchange plugin \u2013 Run smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution via the get_products_price() function in all versions up to, and including, 2.2.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:26:17.368Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d630dd85-0169-4582-a8ae-54e5053425ac?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-multi-currency/trunk/frontend/cache.php#L60"
},
{
"url": "https://wordpress.org/plugins/woo-multi-currency/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3234505/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-05T18:44:02.000Z",
"value": "Disclosed"
}
],
"title": "CURCY \u2013 Multi Currency for WooCommerce \u003c= 2.2.5 - Unauthenticated Arbitrary Shortcode Execution via get_products_price Function"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13487",
"datePublished": "2025-02-06T06:53:40.819Z",
"dateReserved": "2025-01-16T19:08:17.265Z",
"dateUpdated": "2026-04-08T17:26:17.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-4376 (GCVE-0-2021-4376)
Vulnerability from cvelistv5 – Published: 2023-06-07 01:51 – Updated: 2026-04-08 17:26
VLAI
Title
WooCommerce Multi Currency <= 2.1.17 - Missing Authorization
Summary
The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value.
Severity
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| villatheme | CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x |
Affected:
0 , ≤ 2.1.17
(semver)
|
Credits
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:23:10.719Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8a490c6-14c1-4c71-b44c-1e362cc892a8?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/480125bc-bab3-45b8-9325-a4d406655a61"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/woo-multi-currency/#developers"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2734576%40woo-multi-currency\u0026new=2734576%40woo-multi-currency\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-4376",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T23:26:59.952955Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T23:50:01.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CURCY \u2013 Multi Currency for WooCommerce \u2013 Smoothly on WooCommerce 9.x",
"vendor": "villatheme",
"versions": [
{
"lessThanOrEqual": "2.1.17",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jerome Bruandet"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:26:55.408Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8a490c6-14c1-4c71-b44c-1e362cc892a8?source=cve"
},
{
"url": "https://wpscan.com/vulnerability/480125bc-bab3-45b8-9325-a4d406655a61"
},
{
"url": "https://wordpress.org/plugins/woo-multi-currency/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2734576%40woo-multi-currency\u0026new=2734576%40woo-multi-currency\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2021-09-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WooCommerce Multi Currency \u003c= 2.1.17 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2021-4376",
"datePublished": "2023-06-07T01:51:46.083Z",
"dateReserved": "2023-06-06T13:20:38.952Z",
"dateUpdated": "2026-04-08T17:26:55.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}