Plateforme
wordpress
Composant
woocommerce-currency-switcher
Corrigé dans
1.4.3
CVE-2024-10640 describes an arbitrary shortcode execution vulnerability discovered in the FOX – Currency Switcher Professional for WooCommerce plugin for WordPress. This flaw allows unauthenticated attackers to inject and execute malicious shortcodes, potentially compromising the entire WordPress site. The vulnerability affects versions up to and including 1.4.2.2. A patch is available from the vendor.
The impact of this vulnerability is significant. An attacker can leverage arbitrary shortcode execution to inject malicious content, redirect users to phishing sites, deface the website, or even gain complete control over the WordPress installation. This could lead to data breaches, denial of service, and reputational damage. The ability to execute arbitrary shortcodes bypasses standard WordPress security measures, making this a particularly dangerous vulnerability. Successful exploitation could allow an attacker to modify core WordPress files, install backdoors, or steal sensitive user data stored within the WordPress database.
This vulnerability was publicly disclosed on 2024-11-09. No public proof-of-concept (POC) code has been released at the time of writing, but the ease of exploiting arbitrary shortcode execution suggests a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Monitor security advisories and threat intelligence feeds for any signs of active exploitation campaigns targeting this vulnerability.
WordPress websites utilizing the FOX – Currency Switcher Professional for WooCommerce plugin, particularly those running older versions (≤1.4.2.2), are at significant risk. Shared hosting environments where plugin updates are not managed by the website owner are also particularly vulnerable, as are sites with weak password policies or inadequate security practices.
• wordpress / composer / npm:
grep -r 'do_shortcode' /var/www/html/wp-content/plugins/fox-currency-switcher-professional-for-woocommerce/• wordpress / composer / npm:
wp plugin list | grep 'fox-currency-switcher-professional-for-woocommerce'• wordpress / composer / npm:
wp plugin update fox-currency-switcher-professional-for-woocommercedisclosure
Statut de l'Exploit
EPSS
1.23% (percentile 79%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2024-10640 is to immediately upgrade the FOX – Currency Switcher Professional for WooCommerce plugin to the latest available version. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin. While not a complete solution, implementing a Web Application Firewall (WAF) with rules to block suspicious shortcode execution attempts can provide an additional layer of defense. Regularly review WordPress plugin usage and ensure all plugins are from trusted sources.
Actualice el plugin FOX – Currency Switcher Professional for WooCommerce a la última versión disponible. La versión corregida incluye una validación adecuada para prevenir la ejecución de shortcodes arbitrarios.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2024-10640 is a HIGH severity vulnerability in the FOX Currency Switcher Professional for WooCommerce plugin, allowing unauthenticated attackers to execute arbitrary shortcodes due to insufficient validation.
Yes, if you are using FOX Currency Switcher Professional for WooCommerce version 1.4.2.2 or earlier, you are vulnerable to this arbitrary shortcode execution flaw.
Upgrade the FOX Currency Switcher Professional for WooCommerce plugin to the latest available version to patch this vulnerability. If immediate upgrade is not possible, disable the plugin temporarily.
While no public exploits are currently known, the ease of exploitation suggests a high probability of exploitation. Monitor security advisories for updates.
Refer to the official FOX Currency Switcher website or WordPress plugin repository for the latest advisory and patch information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.