WooCommerce Multi Currency Bug Allows Shoppers to Change eCommerce Pricing

magecart web skimmer

The security vulnerability can be exploited with a malicious CSV file.

A security vulnerability in the WooCommerce Multi Currency plugin could allow any customer to change the pricing for products in online stores.

WooCommerce is a popular eCommerce plugin for WordPress-powered websites; the Multi Currency plugin from Envato meanwhile allows e-tailers using WooCommerce to set pricing for international shoppers. The plugin automatically detects a customer’s geolocation and displays pricing in the customer country’s currency, with the exchange rate set manually or automatically using current exchange rates. It has 7,700 sales on the Envato Marketplace.

According to the Ninja Technologies Network (NinTechNet), the issue is a broken access-control vulnerability in version 2.1.17 and below, impacting Multi Currency’s “Import Fixed Price” feature, which allows eCommerce sites to set custom prices, thus overwriting any prices calculated automatically by exchange rate.

Infosec Insiders Newsletter

“The import function, import_csv(), is loaded by the wmc_bulk_fixed_price AJAX hook in the “woocommerce-multi-currency/includes/import-export/import-csv.php” script,” according to a NinTechNet analysis on Monday. “The function lacks a capability check and a security nonce, and therefore is accessible to all authenticated users, which includes WooCommerce customers.”

To exploit the problem, cyberattackers could upload a specially crafted CSV file to the site, which uses a product’s current currency and the product ID. This allows them to change the price of one or multiple products, researchers explained.

“The vulnerability is particularly damaging for online shops selling digital goods because the attacker will have time to download the goods,” they said. “It is important to verify every order because the hack doesn’t change the product’s price in the backend, hence the shop manager may unlikely notice it immediately.”

To avoid becoming impacted, website admins should update to the latest version of the plugin, v. 2.1.18, which contains a patch.

WooCommerce users continue to face patching requirements lately. In late August, a pair of security vulnerabilities in the WooCommerce Dynamic Pricing and Discounts plugin from Envato were disclosed, which could allow unauthenticated attackers inject malicious code into websites running unpatched versions. This can result in a variety of attacks, including website redirections to phishing pages, insertion of malicious scripts on product pages and more.

And in July, a critical SQL-injection security vulnerability in the WooCommerce e-commerce platform and a related plugin was found to be under attack as a zero-day bug. The exploitation prompted WooCommerce to release an emergency patch for the issue, which could allow unauthenticated cyberattackers to make off with scads of information from an online store’s database – anything from customer data and payment-card info to employee credentials.

It’s time to evolve threat hunting into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided tour of the dark web and learn how to track threat actors before their next attack. REGISTER NOW for the LIVE discussion on Sept. 22 at 2 p.m. EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, along with independent researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.

Suggested articles