CVE-2024-13487: CWE-94 Improper Control of Generation of Code ('Code Injection') in villatheme CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 9.x
CVE-2024-13487 is a high-severity vulnerability in the CURCY Multi Currency plugin for WooCommerce, versions up to 2. 2. 5. It allows unauthenticated attackers to execute arbitrary WordPress shortcodes via the get_products_price() function due to improper validation before calling do_shortcode. This code injection vulnerability (CWE-94) can lead to partial confidentiality, integrity, and availability impacts without requiring user interaction or authentication. Exploitation could enable attackers to manipulate site content, execute malicious code, or disrupt e-commerce operations. No known exploits are currently reported in the wild. Organizations using this plugin on WooCommerce 9. x should prioritize patching or applying mitigations to prevent potential compromise. The vulnerability affects WordPress sites globally, with particular risk in countries with high WooCommerce adoption and e-commerce activity.
AI Analysis
Technical Summary
The CURCY – Multi Currency for WooCommerce plugin, widely used to provide currency exchange functionality on WooCommerce-based WordPress sites, contains a critical vulnerability identified as CVE-2024-13487. The flaw arises from improper control of code generation (CWE-94) within the get_products_price() function, which fails to validate input before invoking WordPress's do_shortcode function. This allows unauthenticated attackers to inject and execute arbitrary shortcodes, effectively enabling remote code execution within the context of the WordPress site. Since shortcodes can trigger a wide range of actions, including database queries, file operations, or PHP code execution via other plugins or themes, the impact can be extensive. The vulnerability affects all versions up to and including 2.2.5 and is exploitable over the network without any authentication or user interaction, increasing its risk. Although no public exploits have been reported yet, the ease of exploitation and the widespread use of WooCommerce and this plugin make it a significant threat. The vulnerability compromises confidentiality by potentially exposing sensitive data, integrity by allowing unauthorized content or code changes, and availability by enabling denial-of-service conditions or site defacement.
Potential Impact
Organizations running WooCommerce stores with the vulnerable CURCY plugin face risks including unauthorized code execution, data leakage, and site disruption. Attackers could manipulate product pricing, redirect customers, inject malicious content, or gain further access to the underlying server environment. This can lead to financial losses, reputational damage, and regulatory compliance issues, especially for e-commerce businesses handling sensitive customer and payment data. The vulnerability's unauthenticated nature means attackers can exploit it remotely without credentials, increasing the attack surface. Given WooCommerce's global popularity, the threat could impact small to large online retailers worldwide, potentially affecting customer trust and operational continuity.
Mitigation Recommendations
Immediate mitigation involves updating the CURCY plugin to a patched version once released by the vendor. Until a patch is available, administrators should disable or remove the CURCY plugin to eliminate the attack vector. Implementing Web Application Firewall (WAF) rules to detect and block suspicious shortcode patterns or attempts to invoke do_shortcode via user input can provide temporary protection. Restricting access to the WordPress REST API and limiting anonymous user capabilities can reduce exploitation risk. Regularly auditing installed plugins for vulnerabilities and minimizing plugin use to trusted, actively maintained ones is recommended. Monitoring logs for unusual shortcode execution or unexpected site behavior can aid early detection of exploitation attempts.
Affected Countries
United States, United Kingdom, Germany, Canada, Australia, France, India, Brazil, Japan, Netherlands, Italy, Spain
CVE-2024-13487: CWE-94 Improper Control of Generation of Code ('Code Injection') in villatheme CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 9.x
Description
CVE-2024-13487 is a high-severity vulnerability in the CURCY Multi Currency plugin for WooCommerce, versions up to 2. 2. 5. It allows unauthenticated attackers to execute arbitrary WordPress shortcodes via the get_products_price() function due to improper validation before calling do_shortcode. This code injection vulnerability (CWE-94) can lead to partial confidentiality, integrity, and availability impacts without requiring user interaction or authentication. Exploitation could enable attackers to manipulate site content, execute malicious code, or disrupt e-commerce operations. No known exploits are currently reported in the wild. Organizations using this plugin on WooCommerce 9. x should prioritize patching or applying mitigations to prevent potential compromise. The vulnerability affects WordPress sites globally, with particular risk in countries with high WooCommerce adoption and e-commerce activity.
AI-Powered Analysis
Technical Analysis
The CURCY – Multi Currency for WooCommerce plugin, widely used to provide currency exchange functionality on WooCommerce-based WordPress sites, contains a critical vulnerability identified as CVE-2024-13487. The flaw arises from improper control of code generation (CWE-94) within the get_products_price() function, which fails to validate input before invoking WordPress's do_shortcode function. This allows unauthenticated attackers to inject and execute arbitrary shortcodes, effectively enabling remote code execution within the context of the WordPress site. Since shortcodes can trigger a wide range of actions, including database queries, file operations, or PHP code execution via other plugins or themes, the impact can be extensive. The vulnerability affects all versions up to and including 2.2.5 and is exploitable over the network without any authentication or user interaction, increasing its risk. Although no public exploits have been reported yet, the ease of exploitation and the widespread use of WooCommerce and this plugin make it a significant threat. The vulnerability compromises confidentiality by potentially exposing sensitive data, integrity by allowing unauthorized content or code changes, and availability by enabling denial-of-service conditions or site defacement.
Potential Impact
Organizations running WooCommerce stores with the vulnerable CURCY plugin face risks including unauthorized code execution, data leakage, and site disruption. Attackers could manipulate product pricing, redirect customers, inject malicious content, or gain further access to the underlying server environment. This can lead to financial losses, reputational damage, and regulatory compliance issues, especially for e-commerce businesses handling sensitive customer and payment data. The vulnerability's unauthenticated nature means attackers can exploit it remotely without credentials, increasing the attack surface. Given WooCommerce's global popularity, the threat could impact small to large online retailers worldwide, potentially affecting customer trust and operational continuity.
Mitigation Recommendations
Immediate mitigation involves updating the CURCY plugin to a patched version once released by the vendor. Until a patch is available, administrators should disable or remove the CURCY plugin to eliminate the attack vector. Implementing Web Application Firewall (WAF) rules to detect and block suspicious shortcode patterns or attempts to invoke do_shortcode via user input can provide temporary protection. Restricting access to the WordPress REST API and limiting anonymous user capabilities can reduce exploitation risk. Regularly auditing installed plugins for vulnerabilities and minimizing plugin use to trusted, actively maintained ones is recommended. Monitoring logs for unusual shortcode execution or unexpected site behavior can aid early detection of exploitation attempts.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-01-16T19:08:17.265Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e59b7ef31ef0b59ec7d
Added to database: 2/25/2026, 9:49:13 PM
Last enriched: 2/26/2026, 12:26:37 AM
Last updated: 2/26/2026, 8:52:14 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-1698: CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax in arcinfo PcVue
MediumCVE-2026-1697: CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in arcinfo PcVue
MediumCVE-2026-1696: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in arcinfo PcVue
LowCVE-2026-1695: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in arcinfo PcVue
MediumCVE-2026-1694: CWE-201 Insertion of Sensitive Information into Sent Data in arcinfo PcVue
LowActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.