cleantalk
Vulnerabilities and Security Researches

Vulnerabilities and security researches forwoo-multi-currency woo-multi-currency

Direction: ascending
Jun 07, 2024

CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce # CVE-2023-50831

CVE, Research URL

CVE-2023-50831

Date
Dec 21, 2023
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VillaTheme CURCY – Multi Currency for WooCommerce allows Stored XSS.This issue affects CURCY – Multi Currency for WooCommerce: from n/a through 2.2.0.
Affected versions
max 2.2.1.
Status
vulnerable

CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce # 13a77f16b58689b0bbcfc4a5b6e7e10c7456b2ab

Date
May 31, 2022
Research Description
CURCY &#8211; Multi Currency for WooCommerce &#8211; Smoothly on WooCommerce 9.x [woo-multi-currency] < 2.1.18 WordPress CURCY plugin <= 2.1.17 - Reflected Cross-Site Scripting (XSS) vulnerability Reflected Cross-Site Scripting (XSS) vulnerability discovered by WPScanTeam in WordPress CURCY plugin (versions <= 2.1.17). Update the WordPress CURCY plugin to the latest available version (at least 2.1.18).
Affected versions
max 2.1.18.
Status
vulnerable

CURCY &#8211; Multi Currency for WooCommerce &#8211; The best free currency exchange plugin &#8211; Run smoothly on WooCommerce # CVE-2021-4376

CVE, Research URL

CVE-2021-4376

Date
Jun 07, 2023
Research Description
The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value.
Affected versions
max 2.1.18.
Status
vulnerable
Jun 10, 2024

CURCY &#8211; Multi Currency for WooCommerce &#8211; The best free currency exchange plugin &#8211; Run smoothly on WooCommerce # CVE-2022-46796

CVE, Research URL

CVE-2022-46796

Date
Dec 13, 2024
Research Description
Missing Authorization vulnerability in VillaTheme CURCY allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CURCY: from n/a through 2.1.25.
Affected versions
max 2.1.26.
Status
vulnerable
Oct 19, 2024

CURCY &#8211; Multi Currency for WooCommerce &#8211; The best free currency exchange plugin &#8211; Run smoothly on WooCommerce # CVE-2024-49283

CVE, Research URL

CVE-2024-49283

Date
Oct 18, 2024
Research Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VillaTheme CURCY woo-multi-currency allows Reflected XSS.This issue affects CURCY: from n/a through <= 2.2.3.
Affected versions
max 2.2.4.
Status
vulnerable
Feb 07, 2025

CURCY &#8211; Multi Currency for WooCommerce &#8211; The best free currency exchange plugin &#8211; Run smoothly on WooCommerce # CVE-2024-13487

CVE, Research URL

CVE-2024-13487

Date
Feb 06, 2025
Research Description
The The CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution via the get_products_price() function in all versions up to, and including, 2.2.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Affected versions
max 2.2.6.
Status
vulnerable
Jun 15, 2026

CURCY &#8211; Multi Currency for WooCommerce &#8211; The best free currency exchange plugin &#8211; Run smoothly on WooCommerce # eb9cbd4445dbdb71d87e267cad23356103e29c9d

Date
Sep 13, 2021
Research Description
CURCY &#8211; Multi Currency for WooCommerce &#8211; Smoothly on WooCommerce 9.x [woo-multi-currency] < 2.1.18 WooCommerce Multi Currency <= 2.1.17 - Missing Authorization The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value.
Affected versions
max 2.1.18.
Status
vulnerable

CURCY &#8211; Multi Currency for WooCommerce &#8211; The best free currency exchange plugin &#8211; Run smoothly on WooCommerce # dae772a05310ee3d58f3f6291e86b9537bba958c

Date
May 31, 2022
Research Description
CURCY &#8211; Multi Currency for WooCommerce &#8211; Smoothly on WooCommerce 9.x [woo-multi-currency] < 2.1.18 CURCY <= 2.1.17 - Reflected Cross-Site Scripting The CURCY plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in versions up to, and including, 2.1.17. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions
max 2.1.18.
Status
vulnerable

CURCY &#8211; Multi Currency for WooCommerce &#8211; The best free currency exchange plugin &#8211; Run smoothly on WooCommerce # 6ebafb52-e167-40bc-a86c-b9840b2b9b37

Date
-
Research Description
CURCY &#8211; Multi Currency for WooCommerce &#8211; Smoothly on WooCommerce 9.x [woo-multi-currency] < 2.1.18 CURCY &lt; 2.1.18 - Reflected Cross-Site Scripting The plugin does not escape some generated URLs before outputting them back in attributes, leading to Reflected Cross-Site Scripting
Affected versions
max 2.1.18.
Status
vulnerable
Jul 04, 2026

CURCY &#8211; Multi Currency for WooCommerce &#8211; The best free currency exchange plugin &#8211; Run smoothly on WooCommerce # CVE-2026-11778

CVE, Research URL

CVE-2026-11778

Date
Jul 03, 2026
Research Description
The The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Affected versions
max 2.2.15.
Status
vulnerable