WordPress Plugin Vulnerabilities

WooCommerce Currency Switcher < 1.3.7 - Authenticated (Low Privilege) Local File Inclusion

Description

The WooCommerce Currency Switcher plugin was vulnerable to LFI attacks via the "woocs" shortcode.

Affects Plugins

Plugin icon
woocommerce-currency-switcher
Fixed in 1.3.7

References

CVE
CVE-2021-24566
URL
https://jetpack.com/2021/07/22/severe-vulnerability-patched-in-woocommerce-currency-switcher/

Classification

Type
LFI
OWASP top 10
A1: Injection
CWE
CWE-22
CVSS
9.9 (critical)

Miscellaneous

Original Researcher
Marc Montpas (Jetpack Scan)
Submitter
Marc Montpas
Submitter website
https://jetpack.com/
Submitter twitter
marcS0H
Verified
Yes
WPVDB ID
a0bc4b13-53fe-462d-8306-8915196d3a5a

Timeline

Publicly Published
2021-07-22 (about 2 years ago)
Added
2021-07-22 (about 2 years ago)
Last Updated
2023-01-24 (about 1 years ago)

Other

Published
Title
Published
2015-10-05
Title
Easy2Map < 1.3.0 - Local File Inclusion
Published
2015-07-05
Title
WP e-Commerce Shop Styling <= 2.5 - Local File Inclusion
Published
2014-08-01
Title
Vitamin 1.0 - add_headers.php path Parameter Traversal Arbitrary File Access
Published
2014-12-29
Title
Sell Downloads 1.0.1 - Arbitrary File Disclosure
Published
2021-04-05
Title
Tutor LMS < 1.8.8 - Authenticated Local File Inclusion