Search criteria
3 vulnerabilities found for CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x by villatheme
CVE-2026-11778 (GCVE-0-2026-11778)
Vulnerability from cvelistv5 – Published: 2026-07-03 07:53 – Updated: 2026-07-03 07:53
VLAI?
Title
CURCY <= 2.2.14 - Unauthenticated Arbitrary Shortcode Execution via 'exchange' Parameter
Summary
The The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Severity ?
5.4 (Medium)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| villatheme | CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x |
Affected:
0 , ≤ 2.2.14
(semver)
|
Credits
sterva
{
"containers": {
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CURCY \u2013 Multi Currency for WooCommerce \u2013 Smoothly on WooCommerce 9.x",
"vendor": "villatheme",
"versions": [
{
"lessThanOrEqual": "2.2.14",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "sterva"
}
],
"descriptions": [
{
"lang": "en",
"value": "The The CURCY \u2013 Multi Currency for WooCommerce \u2013 Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-03T07:53:08.623Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a30e5dc-1f15-40ce-9703-1e1add1df6da?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-multi-currency/trunk/frontend/cache.php#L108"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-multi-currency/trunk/frontend/cache.php#L99"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-multi-currency/trunk/frontend/cache.php#L18"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-09T12:30:38.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-07-02T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "CURCY \u003c= 2.2.14 - Unauthenticated Arbitrary Shortcode Execution via \u0027exchange\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-11778",
"datePublished": "2026-07-03T07:53:08.623Z",
"dateReserved": "2026-06-09T12:15:26.855Z",
"dateUpdated": "2026-07-03T07:53:08.623Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-13487 (GCVE-0-2024-13487)
Vulnerability from cvelistv5 – Published: 2025-02-06 06:53 – Updated: 2026-06-03 14:25
VLAI?
Title
CURCY – Multi Currency for WooCommerce <= 2.2.5 - Unauthenticated Arbitrary Shortcode Execution via get_products_price Function
Summary
The The CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution via the get_products_price() function in all versions up to, and including, 2.2.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Severity ?
7.3 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| villatheme | CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x |
Affected:
0 , ≤ 2.2.5
(semver)
|
Credits
Michael Mazzolini
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-13487",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-06T14:31:03.556149Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T14:25:41.033Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CURCY \u2013 Multi Currency for WooCommerce \u2013 Smoothly on WooCommerce 9.x",
"vendor": "villatheme",
"versions": [
{
"lessThanOrEqual": "2.2.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michael Mazzolini"
}
],
"descriptions": [
{
"lang": "en",
"value": "The The CURCY \u2013 Multi Currency for WooCommerce \u2013 The best free currency exchange plugin \u2013 Run smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution via the get_products_price() function in all versions up to, and including, 2.2.5. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:26:17.368Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d630dd85-0169-4582-a8ae-54e5053425ac?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/woo-multi-currency/trunk/frontend/cache.php#L60"
},
{
"url": "https://wordpress.org/plugins/woo-multi-currency/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3234505/"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-02-05T18:44:02.000Z",
"value": "Disclosed"
}
],
"title": "CURCY \u2013 Multi Currency for WooCommerce \u003c= 2.2.5 - Unauthenticated Arbitrary Shortcode Execution via get_products_price Function"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-13487",
"datePublished": "2025-02-06T06:53:40.819Z",
"dateReserved": "2025-01-16T19:08:17.265Z",
"dateUpdated": "2026-06-03T14:25:41.033Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-4376 (GCVE-0-2021-4376)
Vulnerability from cvelistv5 – Published: 2023-06-07 01:51 – Updated: 2026-04-08 17:26
VLAI?
Title
WooCommerce Multi Currency <= 2.1.17 - Missing Authorization
Summary
The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value.
Severity ?
4.3 (Medium)
CWE
- CWE-862 - Missing Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| villatheme | CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x |
Affected:
0 , ≤ 2.1.17
(semver)
|
Credits
Jerome Bruandet
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T17:23:10.719Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8a490c6-14c1-4c71-b44c-1e362cc892a8?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://wpscan.com/vulnerability/480125bc-bab3-45b8-9325-a4d406655a61"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/woo-multi-currency/#developers"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2734576%40woo-multi-currency\u0026new=2734576%40woo-multi-currency\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-4376",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-12-20T23:26:59.952955Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-12-20T23:50:01.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CURCY \u2013 Multi Currency for WooCommerce \u2013 Smoothly on WooCommerce 9.x",
"vendor": "villatheme",
"versions": [
{
"lessThanOrEqual": "2.1.17",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jerome Bruandet"
}
],
"descriptions": [
{
"lang": "en",
"value": "The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:26:55.408Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8a490c6-14c1-4c71-b44c-1e362cc892a8?source=cve"
},
{
"url": "https://wpscan.com/vulnerability/480125bc-bab3-45b8-9325-a4d406655a61"
},
{
"url": "https://wordpress.org/plugins/woo-multi-currency/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=2734576%40woo-multi-currency\u0026new=2734576%40woo-multi-currency\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2021-09-13T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "WooCommerce Multi Currency \u003c= 2.1.17 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2021-4376",
"datePublished": "2023-06-07T01:51:46.083Z",
"dateReserved": "2023-06-06T13:20:38.952Z",
"dateUpdated": "2026-04-08T17:26:55.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}