CVE-2024-13320
📋 TL;DR
This SQL injection vulnerability in the CURCY WooCommerce Multi Currency plugin allows unauthenticated attackers to execute arbitrary SQL queries against WordPress databases. All WordPress sites using this plugin up to version 2.3.6 are affected, potentially exposing sensitive data like user credentials, payment information, and other database contents.
💻 Affected Systems
- CURCY - WooCommerce Multi Currency - Currency Switcher
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including exfiltration of all user data, administrative credentials, payment information, and potential privilege escalation to full site control.
Likely Case
Data exfiltration of sensitive information including user emails, hashed passwords, order details, and potentially plugin/theme configuration data.
If Mitigated
Limited information disclosure if database permissions are properly restricted and sensitive data is encrypted at rest.
🎯 Exploit Status
The vulnerability requires no authentication and can be exploited via HTTP requests containing malicious SQL payloads in the wc_filter_price_meta[where] parameter.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.3.7 or later
Vendor Advisory: https://codecanyon.net/item/woocommerce-multi-currency/20948446
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'CURCY - WooCommerce Multi Currency'. 4. Click 'Update Now' if available. 5. If manual update needed, download version 2.3.7+ from CodeCanyon and replace plugin files via FTP/SFTP.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
WordPressDisable the vulnerable plugin until patched
wp plugin deactivate curcy-woocommerce-multi-currency
Web Application Firewall Rule
allBlock requests containing SQL injection patterns targeting the vulnerable parameter
Add WAF rule to block requests with 'wc_filter_price_meta[where]' containing SQL keywords like UNION, SELECT, INSERT, UPDATE, DELETE, DROP, OR, AND
🧯 If You Can't Patch
- Disable the CURCY plugin immediately
- Implement strict WAF rules to block SQL injection patterns in all request parameters
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for CURCY version. If version is 2.3.6 or lower, you are vulnerable.Check Version:
wp plugin get curcy-woocommerce-multi-currency --field=versionVerify Fix Applied:
Verify plugin version shows 2.3.7 or higher in WordPress admin panel. Test that currency switching functionality still works properly.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing 'wc_filter_price_meta[where]' parameter with SQL keywords
- Unusual database query patterns from web server process
- Multiple failed SQL queries from single IP addresses
Network Indicators:
- HTTP POST/GET requests with SQL injection payloads in parameters
- Unusual traffic patterns to WooCommerce currency endpoints
SIEM Query:
source="web_access_logs" AND (uri_path="*wc_filter_price_meta*" OR parameters="*wc_filter_price_meta*" OR parameters="*UNION*SELECT*" OR parameters="*OR 1=1*")