CVE-2024-13487

Name of the Vulnerable Software and Affected Versions The CURCY – Multi Currency for WooCommerce versions up to, and including, 2.2.5

Description The issue allows unauthenticated attackers to execute arbitrary shortcodes due to the software not properly validating a value before running do shortcode(). This is possible through the get products price() function. Unauthenticated users can execute arbitrary shortcodes into the popular free currency exchange plugin.

Recommendations As a temporary workaround, consider disabling the get products price() function until a patch is available. Restrict access to the do shortcode() function to minimize the risk of exploitation. Avoid using the get products price() function in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.