WooCommerce Multi Currency Bug Allows Shoppers to Change eCommerce Pricing
A new security vulnerability in the WooCommerce Multi-Currency plugin could allow any customer to change the pricing for products in online stores. WooCommerce is a popular plugin for WordPress websites whereas the Multi-Currency plugin from Envato allows e-tailers to use WooCommerce to set pricing for international shoppers. The plugin is able to automatically detect a potential customer’s geolocation and display item prices in that customer’s local currency. The exchange rate is either set manually or automatically using current rates. Currently, it boasts 7,700 sales on the Envato marketplace. However, the security vulnerability recently uncovered by researchers can be exploited with a malicious CSV file and could allow customers to manipulate pricing.
Ninja Technologies Network stated that the issue is a broken-access control vulnerability impacting the plugin’s Import Fixed Price feature, which allows eCommerce sites to set custom prices. Therefore, cyber attackers looking to save money could upload a specially crafted CSV file to the site using a product’s current currency and the product ID, allowing them to change the price of the product. The vulnerability could be potentially damaging for online shops as the attacker will have the time to download the good without discovery. The latest version of the plugin contains a patch, and eCommerce sites using WordPress have been urged to install the fix immediately.