In a WooCommerce multi-currency plugin a major flaw found. Which could allow customers to change the pricing of products in online stores that use the plugin. The plugin affected is listed on the official WooComemrce website named WooCommerce Multi-Currency by TIV.NET INC, as per the Ninja Technologies Network (NinTechNet).
The WooCommerce Multi-Currency is a popular plugin for e-commerce stores. The Multi-Currency provides switching currencies and recalculating rates converted rates on the fly. The plugin is available on websites that offer international products and deals with international customers.
It uses visitors’ geolocation data and shows the pricing in the customer country’s currency. With the exchange rates set manually or automatically using the current exchange rates. The plugin is quite popular and has more than 7000 sales on Envanto Marketplace.
As per the research company NinTechNet
The issue with the plugin is a broken access-control vulnerability in version 22.214.171.124 and below. The vulnerability impacts Multi-Currency plugin’s “Import Fixed Price” feature. Which allows eCommerce sites to set custom prices, thus overwriting any prices calculated automatically by exchange rate.
“The import function, import_csv(), loaded by the wmc_bulk_fixed_price AJAX hook in the “woocommerce-multi-currency/includes/import-export/import-csv.php” script”. As per the NinTechNet analysis on Monday. “The function lacks a capability check and a security nonce, and therefore is accessible to all authenticated users. Which includes WooCommerce customers.”
Hackers can use this issue to their benefit. Moreover, they could upload a malicious CSV file to the site, which uses a product’s current currency and the product ID. This allows them to change the price of one or multiple products, researchers explained.
“The vulnerability is particularly damaging for online shops selling digital goods because the attacker will have time to download the goods,” they told. “It is important to verify every order because the hack doesn’t change the product’s price in the backend. Hence the shop manager may unlikely notice it immediately.”
And to prevent this issue on your site. We highly recommend to update to the latest version of the plugin, v. 2.1.18, which contains a patch.
WordPress plugin vulnerability issues
WordPress and WooCommerce users continue to face such issues. In late August, an Authentication Bypass Vulnerability in a Popular WordPress Plugin was found. Moreover, this could allow attackers to take complete control of WordPress-powered e-commerce websites.
Another flaw in the SEOPress plugin was discovered in August. This flaw allowed an attacker to inject arbitrary web scripts on a vulnerable site. Which would run whenever a user accessed the “All Posts” page.
We recommend you use a security plugin on your website. Moreover, use plugins from trusted sites such as WordPress, WooCommerce, ZetaMatic. Which also has a history of providing quality tools without any issues.
You may also like: