CVE-2019-18668

An issue was discovered in the Currency Switcher addon before 2.11.2 for WooCommerce if a user provides a currency that was not added by the administrator. In this case, even though the currency does not exist, it will be selected, but a price amount will fall back to the default currency. This means that if an attacker provides a currency that does not exist and is worth less than this default, the attacker can eventually purchase an item for a significantly cheaper price.

CVSS v3 6.5 MEDIUM
CVSS v2.0 4.0 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

4.0^/10

CVSS v2.0 : MEDIUM

Vector : AV:N/AC:L/Au:S/C:N/I:P/A:N

Exploitability : 8.0 / Impact : 2.9

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact NONE

Integrity Impact PARTIAL

Availability Impact NONE

References

Link	Resource
https://wordpress.org/plugins/currency-switcher-woocommerce/#developers	Release Notes Vendor Advisory
https://wpvulndb.com/vulnerabilities/9936	Third Party Advisory
https://www.infigo.hr/en/critical-vulnerability-in-currency-switcher-for-woocommerce-n61	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:wpwham:currency_switcher_for_woocommerce:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2019-11-02 16:15

Updated : 2024-02-28 17:28

NVD link : CVE-2019-18668

Mitre link : CVE-2019-18668

CVE.ORG link : CVE-2019-18668

JSON object : View

Products Affected

wpwham

currency_switcher_for_woocommerce

CWE

CWE-755

Improper Handling of Exceptional Conditions

{"id": "CVE-2019-18668", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 4.0, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "authentication": "SINGLE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "NONE", "confidentialityImpact": "NONE"}, "acInsufInfo": false, "impactScore": 2.9, "baseSeverity": "MEDIUM", "obtainAllPrivilege": false, "exploitabilityScore": 8.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}], "cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2019-11-02T16:15:10.310", "references": [{"url": "https://wordpress.org/plugins/currency-switcher-woocommerce/#developers", "tags": ["Release Notes", "Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://wpvulndb.com/vulnerabilities/9936", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://www.infigo.hr/en/critical-vulnerability-in-currency-switcher-for-woocommerce-n61", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-755"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the Currency Switcher addon before 2.11.2 for WooCommerce if a user provides a currency that was not added by the administrator. In this case, even though the currency does not exist, it will be selected, but a price amount will fall back to the default currency. This means that if an attacker provides a currency that does not exist and is worth less than this default, the attacker can eventually purchase an item for a significantly cheaper price."}, {"lang": "es", "value": "Se detect\u00f3 un problema en el addon Currency Switcher anteriores a 2.11.2 para WooCommerce, si un usuario suministra una moneda que no fue agregada por el administrador. En este caso, aunque la moneda no exista, ser\u00e1 seleccionada, pero el monto del precio regresar\u00e1 a la moneda predeterminada. Esto significa que si un atacante suministra una moneda que no existe y vale menos que este valor predeterminado, el atacante puede comprar un art\u00edculo a un precio significativamente m\u00e1s barato."}], "lastModified": "2021-07-21T11:39:23.747", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:wpwham:currency_switcher_for_woocommerce:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "50709498-6D63-4AF4-BCD3-671A339C7CB9", "versionEndExcluding": "2.11.2"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}