CVE-2022-46796
📋 TL;DR
CVE-2022-46796 is a Missing Authorization vulnerability in VillaTheme CURCY (WooCommerce Multi-Currency) WordPress plugin that allows unauthenticated attackers to change plugin settings. This affects all WordPress sites running CURCY versions up to 2.1.25. Attackers can modify currency settings without authentication.
💻 Affected Systems
- VillaTheme CURCY (WooCommerce Multi-Currency)
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could manipulate currency conversion rates, pricing, or payment settings leading to financial loss, price manipulation, or e-commerce functionality disruption.
Likely Case
Attackers modify currency settings to display incorrect prices, manipulate exchange rates, or disrupt multi-currency functionality affecting customer trust and sales.
If Mitigated
With proper access controls, only authenticated administrators could modify plugin settings, preventing unauthorized changes.
🎯 Exploit Status
Exploitation requires sending crafted requests to vulnerable endpoints. Public proof-of-concept exists.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.1.26
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find CURCY - WooCommerce Multi-Currency. 4. Click 'Update Now' if available. 5. Alternatively, download version 2.1.26+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable CURCY plugin until patched
wp plugin deactivate woo-multi-currency
Web Application Firewall Rule
allBlock requests to vulnerable CURCY endpoints
Add WAF rule to block: /wp-admin/admin-ajax.php?action=curcy_* from unauthenticated sources
🧯 If You Can't Patch
- Disable CURCY plugin completely
- Implement strict network access controls to WordPress admin interfaces
🔍 How to Verify
Check if Vulnerable:
Check WordPress plugin version: In WordPress admin, go to Plugins > Installed Plugins, find CURCY - WooCommerce Multi-Currency and check version number.Check Version:
wp plugin get woo-multi-currency --field=versionVerify Fix Applied:
Verify CURCY plugin version is 2.1.26 or higher. Test that unauthenticated requests to plugin settings endpoints return proper authorization errors.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with curcy_* actions from unauthenticated IPs
- Multiple failed authentication attempts followed by successful curcy endpoint access
Network Indicators:
- Unusual traffic patterns to WordPress admin-ajax.php from external sources
- Requests containing 'action=curcy_' parameters from non-admin users
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND query="*action=curcy_*") AND user="-"