CVE-2019-18668 - Vulnerability Details - OpenCVE

ReportizFlow

An issue was discovered in the Currency Switcher addon before 2.11.2 for WooCommerce if a user provides a currency that was not added by the administrator. In this case, even though the currency does not exist, it will be selected, but a price amount will fall back to the default currency. This means that if an attacker provides a currency that does not exist and is worth less than this default, the attacker can eventually purchase an item for a significantly cheaper price.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact None

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

AV:N/AC:L/Au:S/C:N/I:P/A:N

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Wpwham	Currency Switcher For Woocommerce

Configuration 1 [-]

cpe:2.3:a:wpwham:currency_switcher_for_woocommerce:*:*:*:*:*:wordpress:*:*

No data.

References

Link	Providers
https://wordpress.org/plugins/currency-switcher-woocommerce/#developers
https://wpvulndb.com/vulnerabilities/9936
https://www.infigo.hr/en/critical-vulnerability-in-currency-switcher-for-woocommerce-n61

History

No history.

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2019-11-02T15:29:16

Updated: 2024-08-05T01:54:14.483Z

Reserved: 2019-11-02T00:00:00

Link: CVE-2019-18668

Vulnrichment

No data.

NVD

Status : Modified

Published: 2019-11-02T16:15:10.310

Modified: 2024-11-21T04:33:29.677

Link: CVE-2019-18668

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the Currency Switcher addon before 2.11.2 for WooCommerce if a user provides a currency that was not added by the administrator. In this case, even though the currency does not exist, it will be selected, but a price amount will fall back to the default currency. This means that if an attacker provides a currency that does not exist and is worth less than this default, the attacker can eventually purchase an item for a significantly cheaper price."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2019-11-04T15:06:24", "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.infigo.hr/en/critical-vulnerability-in-currency-switcher-for-woocommerce-n61"}, {"tags": ["x_refsource_MISC"], "url": "https://wordpress.org/plugins/currency-switcher-woocommerce/#developers"}, {"tags": ["x_refsource_MISC"], "url": "https://wpvulndb.com/vulnerabilities/9936"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "[email protected]", "ID": "CVE-2019-18668", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "An issue was discovered in the Currency Switcher addon before 2.11.2 for WooCommerce if a user provides a currency that was not added by the administrator. In this case, even though the currency does not exist, it will be selected, but a price amount will fall back to the default currency. This means that if an attacker provides a currency that does not exist and is worth less than this default, the attacker can eventually purchase an item for a significantly cheaper price."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "https://www.infigo.hr/en/critical-vulnerability-in-currency-switcher-for-woocommerce-n61", "refsource": "MISC", "url": "https://www.infigo.hr/en/critical-vulnerability-in-currency-switcher-for-woocommerce-n61"}, {"name": "https://wordpress.org/plugins/currency-switcher-woocommerce/#developers", "refsource": "MISC", "url": "https://wordpress.org/plugins/currency-switcher-woocommerce/#developers"}, {"name": "https://wpvulndb.com/vulnerabilities/9936", "refsource": "MISC", "url": "https://wpvulndb.com/vulnerabilities/9936"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T01:54:14.483Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.infigo.hr/en/critical-vulnerability-in-currency-switcher-for-woocommerce-n61"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wordpress.org/plugins/currency-switcher-woocommerce/#developers"}, {"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://wpvulndb.com/vulnerabilities/9936"}]}]}, "cveMetadata": {"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "cveId": "CVE-2019-18668", "datePublished": "2019-11-02T15:29:16", "dateReserved": "2019-11-02T00:00:00", "dateUpdated": "2024-08-05T01:54:14.483Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wpwham:currency_switcher_for_woocommerce:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "50709498-6D63-4AF4-BCD3-671A339C7CB9", "versionEndExcluding": "2.11.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "An issue was discovered in the Currency Switcher addon before 2.11.2 for WooCommerce if a user provides a currency that was not added by the administrator. In this case, even though the currency does not exist, it will be selected, but a price amount will fall back to the default currency. This means that if an attacker provides a currency that does not exist and is worth less than this default, the attacker can eventually purchase an item for a significantly cheaper price."}, {"lang": "es", "value": "Se detect\u00f3 un problema en el addon Currency Switcher anteriores a 2.11.2 para WooCommerce, si un usuario suministra una moneda que no fue agregada por el administrador. En este caso, aunque la moneda no exista, ser\u00e1 seleccionada, pero el monto del precio regresar\u00e1 a la moneda predeterminada. Esto significa que si un atacante suministra una moneda que no existe y vale menos que este valor predeterminado, el atacante puede comprar un art\u00edculo a un precio significativamente m\u00e1s barato."}], "id": "CVE-2019-18668", "lastModified": "2024-11-21T04:33:29.677", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 4.0, "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 2.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "[email protected]", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "[email protected]", "type": "Primary"}]}, "published": "2019-11-02T16:15:10.310", "references": [{"source": "[email protected]", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://wordpress.org/plugins/currency-switcher-woocommerce/#developers"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://wpvulndb.com/vulnerabilities/9936"}, {"source": "[email protected]", "tags": ["Third Party Advisory"], "url": "https://www.infigo.hr/en/critical-vulnerability-in-currency-switcher-for-woocommerce-n61"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Release Notes", "Vendor Advisory"], "url": "https://wordpress.org/plugins/currency-switcher-woocommerce/#developers"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://wpvulndb.com/vulnerabilities/9936"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.infigo.hr/en/critical-vulnerability-in-currency-switcher-for-woocommerce-n61"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-755"}], "source": "[email protected]", "type": "Primary"}]}