HomeNews & updatesWooCommerce Multi Currency Bug Allows Shoppers to Change eCommerce Pricing - Threatpost

WooCommerce Multi Currency Bug Allows Shoppers to Change eCommerce Pricing – Threatpost

Share this article:
The security vulnerability can be exploited with a malicious CSV file.
A security vulnerability in the WooCommerce Multi Currency plugin could allow any customer to change the pricing for products in online stores.
WooCommerce is a popular eCommerce plugin for WordPress-powered websites; the Multi Currency plugin from Envato meanwhile allows e-tailers using WooCommerce to set pricing for international shoppers. The plugin automatically detects a customer’s geolocation and displays pricing in the customer country’s currency, with the exchange rate set manually or automatically using current exchange rates. It has 7,700 sales on the Envato Marketplace.
According to the Ninja Technologies Network (NinTechNet), the issue is a broken access-control vulnerability in version 2.1.17 and below, impacting Multi Currency’s “Import Fixed Price” feature, which allows eCommerce sites to set custom prices, thus overwriting any prices calculated automatically by exchange rate.
Infosec Insiders Newsletter
“The import function, import_csv(), is loaded by the wmc_bulk_fixed_price AJAX hook in the “woocommerce-multi-currency/includes/import-export/import-csv.php” script,” according to a NinTechNet analysis on Monday. “The function lacks a capability check and a security nonce, and therefore is accessible to all authenticated users, which includes WooCommerce customers.”
To exploit the problem, cyberattackers could upload a specially crafted CSV file to the site, which uses a product’s current currency and the product ID. This allows them to change the price of one or multiple products, researchers explained.
“The vulnerability is particularly damaging for online shops selling digital goods because the attacker will have time to download the goods,” they said. “It is important to verify every order because the hack doesn’t change the product’s price in the backend, hence the shop manager may unlikely notice it immediately.”
To avoid becoming impacted, website admins should update to the latest version of the plugin, v. 2.1.18, which contains a patch.
WooCommerce users continue to face patching requirements lately. In late August, a pair of security vulnerabilities in the WooCommerce Dynamic Pricing and Discounts plugin from Envato were disclosed, which could allow unauthenticated attackers inject malicious code into websites running unpatched versions. This can result in a variety of attacks, including website redirections to phishing pages, insertion of malicious scripts on product pages and more.
And in July, a critical SQL-injection security vulnerability in the WooCommerce e-commerce platform and a related plugin was found to be under attack as a zero-day bug. The exploitation prompted WooCommerce to release an emergency patch for the issue, which could allow unauthenticated cyberattackers to make off with scads of information from an online store’s database – anything from customer data and payment-card info to employee credentials.
It’s time to evolve threat hunting into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided tour of the dark web and learn how to track threat actors before their next attack. REGISTER NOW for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.
Share this article:
Lockbit is by far this summer’s most prolific ransomware group, trailed by two offshoots of the Conti group.
Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations exposed.
CISA is warning that Palo Alto Networks’ PAN-OS is under active attack and needs to be patched ASAP.
Tens of thousands of cameras have failed to patch a critical, 11-month-old CVE, leaving thousands of organizations… https://t.co/iYq3WeTkbf
2 months ago
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.


- Advertisment -

Most Popular

- Advertisment -