WordPress Plugin Vulnerabilities

Currency Switcher for WooCommerce < 2.16.3 - Reflected Cross-Site Scripting

Description

The Currency Switcher for WooCommerce plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.16.2. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
currency-switcher-woocommerce
Fixed in 2.16.3

References

CVE
CVE-2024-9217
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/3357892e-c047-406b-8914-018ea966e799

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.1 (medium)

Miscellaneous

Original Researcher
Colin Xu
Verified
No
WPVDB ID
92218190-ca00-4b25-9cd8-dc432e5ac14d

Timeline

Publicly Published
2025-02-28 (about 1 year ago)
Added
2025-02-28 (about 1 year ago)
Last Updated
2025-03-11 (about 1 year ago)

Other

Published
Title
Published
2025-07-09
Title
wpForo Forum < 2.4.6 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Profile Avatar
Published
2022-05-09
Title
IMDB info box <= 2.0 - Admin+ Stored Cross-Site Scripting
Published
2025-02-11
Title
WooCommerce Pricing – Product Pricing < 1.1.0 - Unauthenticated Stored Cross-Site Scripting
Published
2026-04-01
Title
Ultimate Addons for WPBakery Page Builder < 3.21.4 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2023-03-20
Title
Klaviyo <= 3.0.10 - Admin+ Stored XSS