WordPress Plugin Vulnerabilities

CURCY – Multi Currency for WooCommerce < 2.2.6 - Unauthenticated Arbitrary Shortcode Execution via get_products_price Function

Description

The The CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution via the get_products_price() function in all versions up to, and including, 2.2.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Affects Plugins

Plugin icon
woo-multi-currency
Fixed in 2.2.6

References

CVE
CVE-2024-13487
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/d630dd85-0169-4582-a8ae-54e5053425ac

Classification

Type
RCE
OWASP top 10
A1: Injection
CWE
CWE-94
CVSS
7.3 (high)

Miscellaneous

Original Researcher
mikemyers
Verified
No
WPVDB ID
a102000b-2b30-450a-a4eb-4cc4854e03ac

Timeline

Publicly Published
2025-02-05 (about 1 year ago)
Added
2025-02-05 (about 1 year ago)
Last Updated
2025-02-06 (about 1 year ago)

Other

Published
Title
Published
2015-05-06
Title
eShop <= 6.3.11 - Remote Code Execution
Published
2024-08-21
Title
WPML Multilingual CMS < 4.6.13 - Contributor+ RCE via Twig Server-Side Template Injection
Published
2025-12-08
Title
ProfilePress < 4.16.8 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
Published
2020-10-09
Title
Autoptimize < 2.7.8 - Race Condition leading to RCE
Published
2025-12-12
Title
Shortcode Loader <= 1.0 - Unauthenticated Arbitrary Shortcode Execution via 'code' Parameter