Platform
wordpress
Component
woocommerce-currency-switcher
Fixed in
1.4.3
CVE-2024-10640 describes an arbitrary shortcode execution vulnerability discovered in the FOX – Currency Switcher Professional for WooCommerce plugin for WordPress. This flaw allows unauthenticated attackers to inject and execute malicious shortcodes, potentially compromising the entire WordPress site. The vulnerability affects versions up to and including 1.4.2.2. A patch is available from the vendor.
The impact of this vulnerability is significant. An attacker can leverage arbitrary shortcode execution to inject malicious content, redirect users to phishing sites, deface the website, or even gain complete control over the WordPress installation. This could lead to data breaches, denial of service, and reputational damage. The ability to execute arbitrary shortcodes bypasses standard WordPress security measures, making this a particularly dangerous vulnerability. Successful exploitation could allow an attacker to modify core WordPress files, install backdoors, or steal sensitive user data stored within the WordPress database.
This vulnerability was publicly disclosed on 2024-11-09. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploiting arbitrary shortcode execution suggests a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns targeting this vulnerability.
Exploit Status
EPSS
1.23% (79% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-10640 is to immediately upgrade the FOX – Currency Switcher Professional for WooCommerce plugin to the latest available version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block suspicious shortcode execution attempts can provide an additional layer of defense. Regularly review WordPress plugin usage and ensure all plugins are from trusted sources.
Actualice el plugin FOX – Currency Switcher Professional for WooCommerce a la última versión disponible. La versión corregida incluye una validación adecuada para prevenir la ejecución de shortcodes arbitrarios.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-10640 is a HIGH severity vulnerability in the FOX Currency Switcher Professional for WooCommerce plugin, allowing unauthenticated attackers to execute arbitrary shortcodes due to insufficient validation.
Yes, if you are using FOX Currency Switcher Professional for WooCommerce version 1.4.2.2 or earlier, you are vulnerable to this arbitrary shortcode execution flaw.
Upgrade the FOX Currency Switcher Professional for WooCommerce plugin to the latest available version to patch this vulnerability. If immediate upgrade is not possible, disable the plugin temporarily.
While no public exploits are currently known, the ease of exploitation suggests a high probability of exploitation. Monitor security advisories for updates.
Refer to the official FOX Currency Switcher website or WordPress plugin repository for the latest advisory and patch information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.