CVE-2019-18668 Information

Description

An issue was discovered in the Currency Switcher addon before 2.11.2 for WooCommerce if a user provides a currency that was not added by the administrator. In this case even though the currency does not exist it will be selected but a price amount will fall back to the default currency. This means that if an attacker provides a currency that does not exist and is worth less than this default the attacker can eventually purchase an item for a significantly cheaper price.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Reference

https://wordpress.org/plugins/currency-switcher-woocommerce/developers https://wpvulndb.com/vulnerabilities/9936 https://www.infigo.hr/en/critical-vulnerability-in-currency-switcher-for-woocommerce-n61

Attack Complexity

LOW

Privileges Required

LOW

User Interaction Required

LOW

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

NONE

Availability Impact

HIGH

Base Score

NONE

Base Severity

6.5