Plattform
wordpress
Komponente
woocommerce-currency-switcher
Behoben in
1.4.3
CVE-2024-8271 describes an arbitrary shortcode execution vulnerability discovered in the FOX – Currency Switcher Professional for WooCommerce plugin for WordPress. This flaw allows unauthenticated attackers to execute arbitrary shortcodes, potentially leading to website defacement, data theft, or even remote code execution. The vulnerability affects versions up to and including 1.4.2.1, and a patch is available from the vendor.
The arbitrary shortcode execution vulnerability allows an attacker to inject and execute malicious shortcodes on a WordPress site using the affected plugin. This can lead to a wide range of consequences, including defacement of the website, injection of malicious content, redirection to phishing sites, and even complete website takeover. Attackers could leverage this to steal sensitive user data, install malware, or use the compromised site as a launchpad for further attacks. The lack of authentication required makes this vulnerability particularly concerning, as any unauthenticated user can exploit it.
This vulnerability was publicly disclosed on 2024-09-14. No known active exploitation campaigns have been reported at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept code is likely to emerge given the ease of exploitation and the public disclosure.
Websites utilizing the FOX – Currency Switcher Professional for WooCommerce plugin, particularly those running older versions (≤1.4.2.1), are at significant risk. Shared hosting environments where plugin updates are not managed by the website owner are also particularly vulnerable, as are sites with weak password policies or inadequate security configurations.
• wordpress / composer / npm:
grep -r 'do_shortcode' /var/www/html/wp-content/plugins/fox-currency-switcher-professional-for-woocommerce/• wordpress / composer / npm:
wp plugin list | grep 'fox-currency-switcher-professional-for-woocommerce'• wordpress / composer / npm:
wp plugin update fox-currency-switcher-professional-for-woocommercedisclosure
Exploit-Status
EPSS
1.72% (82% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to immediately upgrade the FOX – Currency Switcher Professional for WooCommerce plugin to a patched version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. As a secondary measure, implement strict input validation and sanitization on all user-supplied data within the plugin's code. Web application firewalls (WAFs) configured to detect and block shortcode injection attempts can also provide an additional layer of protection. After upgrading, verify the fix by attempting to execute a benign shortcode through the plugin's interface to ensure it functions as expected.
Actualice el plugin FOX – Currency Switcher Professional for WooCommerce a la última versión disponible. Esto solucionará la vulnerabilidad de ejecución de shortcodes arbitrarios sin autenticación.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-8271 is a HIGH severity vulnerability affecting the FOX Currency Switcher Professional for WooCommerce plugin, allowing unauthenticated attackers to execute arbitrary shortcodes due to inadequate input validation.
Yes, if you are using FOX Currency Switcher Professional for WooCommerce version 1.4.2.1 or earlier, you are vulnerable to this arbitrary shortcode execution flaw.
Upgrade the FOX Currency Switcher Professional for WooCommerce plugin to the latest available version to patch this vulnerability. If upgrading is not immediately possible, temporarily disable the plugin.
While there are currently no confirmed active exploitation campaigns, the ease of exploitation suggests it could become a target. Monitor your website for suspicious activity.
Refer to the official FOX Currency Switcher website or WordPress plugin repository for the latest advisory and patch information.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.