Cybersecurity specialists report the detection of a severe vulnerability in WooCommerce and Multi Currency, two popular WordPress plugins. According to the report, successful exploitation of the vulnerability would allow threat actors to change the price of a product on e-commerce platforms.
Actually this plugin is composed of two elements. While WooCommerce is a plugin for e-commerce sites, Multi Currency allows websites that use WooCommerce to set prices for buyers outside the country automatically.
Multi Currency, developed by Envato, determines the geographical location of the user and displays the prices of the products in the currency of the corresponding country and the updated exchange rate.
The report, published by Ninja Technologies Network, describes the bug as a flawed access control vulnerability in versions 2.1.17 and earlier, directly impacting Multi Currency’s “Import Fixed Price” feature, which allows websites to set custom pricing. In other words, attackers could overwrite the price of any product, which will be calculated by Multi Currency.
A threat actor who wants to exploit the issue should only upload a specially crafted CSV file to the target website, which uses the current currency of the product and its identification key. With this, hackers will be able to change the price of any product on e-commerce websites.
The report adds that an attack could prove especially damaging to platforms that sell digital products, as hackers could change the price of any item, download the purchased product and erase its fingerprints before the affected platform even detects the malicious activity.
To prevent this kind of attack, e-commerce website administrators can verify each order, as this hack does not alter the price of items on the backend, immediately revealing malicious activity. However, the main recommendation is to update to v2.1.18, the latest version of the plugin, to completely mitigate the risk of exploitation.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.