A security flaw in the WooCommerce Multi Currency plugin might allow any consumer to alter product prices in online stores. WooCommerce Multi Currency enables consumers to switch currencies and assists the shop in accepting multi-currency payments. It is possible to set the exchange rate manually or automatically. The plugin may automatically detect the customer’s location and display the price in their local currency.
WooCommerce is a WordPress-based eCommerce plugin; the Multi Currency plugin from Envato, on the other hand, allows WooCommerce users to customise prices for foreign customers. On the Envato Marketplace, it has a total of 7,700 sales.
According to Ninja Technologies Network (NinTechNet), the problem is a broken access-control vulnerability in Multi Currency version 2.1.17 and lower, which affects the “Import Fixed Price” feature, which allows eCommerce sites to set custom prices, overwriting any prices calculated automatically by exchange rate.
“The import function, import_csv(), is loaded by the wmc_bulk_fixed_price AJAX hook in the “woocommerce-multi-currency/includes/import-export/import-csv.php” script,” according to a NinTechNet analysis on Monday. “The function lacks a capability check and a security nonce, and therefore is accessible to all authenticated users, which includes WooCommerce customers.”
Cybercriminals might take advantage of the flaw by uploading a specially prepared CSV file to the site that contains the current currency of a product as well as the product ID. According to experts, this permits them to modify the price of one or more items. A comma-separated values (CSV) file allows you to save data in a tabular format. Most spreadsheet programmes, such as Microsoft Excel or Google Spreadsheets, can open SV files. They vary from other spreadsheet file types in that they can only contain a single sheet and do not store cell, column, or row information. In addition, formulas cannot be saved in this format.
“The vulnerability is particularly damaging for online shops selling digital goods because the attacker will have time to download the goods,” they said. “It is important to verify every order because the hack doesn’t change the product’s price in the backend, hence the shop manager may unlikely notice it immediately.”
Patching needs for WooCommerce users have been increasing recently. Envato’s WooCommerce Dynamic Pricing and Discounts plugin was discovered to have two security vulnerabilities in late August, which may allow unauthenticated attackers to inject malicious code onto websites running unpatched versions. This can lead to a number of assaults, such as website redirection to phishing pages, the injection of malicious scripts on product pages, and so on.