Security News > 2021 > September > WooCommerce Multi Currency Bug Allows Shoppers to Change eCommerce Pricing

A security vulnerability in the WooCommerce Multi Currency plugin could allow any customer to change the pricing for products in online stores.

WooCommerce is a popular eCommerce plugin for WordPress-powered websites; the Multi Currency plugin allows e-tailers to set pricing for international shoppers; the plugin automatically detects a customer's geolocation and displays pricing in the customer country's currency, with the exchange rate set manually or automatically using current exchange rates.

According to the Ninja Technologies Network, the issue is a broken access-control vulnerability in version 2.1.17 and below, impacting Multi Currency's "Import Fixed Price" feature, which allows eCommerce sites to set custom prices, thus overwriting any prices calculated automatically by exchange rate.

To exploit the problem, cyberattackers could upload a specially crafted CSV file to the site, which uses a product's current currency and the product ID. This allows them to change the price of one or multiple products, researchers explained.

In late August, a pair of security vulnerabilities in the WooCommerce Dynamic Pricing and Discounts plugin from Envato were disclosed, which could allow unauthenticated attackers inject malicious code into websites running unpatched versions.

In July, a critical SQL-injection security vulnerability in the WooCommerce e-commerce platform and a related plugin was found to be under attack as a zero-day bug.

News URL

https://threatpost.com/woocommerce-multi-currency-bug-pricing/169394/