CVE-2024-13320 Overview
CVE-2024-13320 is a SQL Injection vulnerability in the CURCY - WooCommerce Multi Currency - Currency Switcher plugin for WordPress. The flaw affects all versions up to and including 2.3.6. The plugin fails to properly escape the wc_filter_price_meta[where] parameter and does not adequately prepare the underlying SQL query. Unauthenticated attackers can append additional SQL clauses to existing queries through this parameter. Successful exploitation enables extraction of sensitive information from the WordPress database, including user credentials, session tokens, and customer data. The vulnerability is classified under CWE-89, Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Unauthenticated attackers can exfiltrate sensitive database contents from any WordPress site running CURCY plugin versions 2.3.6 or earlier.
Affected Products
- CURCY - WooCommerce Multi Currency - Currency Switcher plugin for WordPress
- All plugin versions up to and including 2.3.6
- WordPress sites running WooCommerce with this plugin enabled
Discovery Timeline
- 2025-03-07 - CVE-2024-13320 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-13320
Vulnerability Analysis
The vulnerability resides in how the CURCY plugin processes the wc_filter_price_meta[where] request parameter. The plugin concatenates the user-supplied value directly into an SQL statement without parameterized queries or escape routines. This pattern violates secure coding practices defined for the WordPress $wpdb database abstraction layer.
The where array key suggests the parameter is appended to a SQL WHERE clause used for filtering WooCommerce product price metadata. Because the input is trusted, attackers can break out of the intended clause and append arbitrary SQL fragments. The query executes with the same database privileges as the WordPress installation, granting read access across all WordPress and WooCommerce tables.
No authentication is required to reach the vulnerable code path. The attack vector is the network, and exploitation requires no user interaction.
Root Cause
The root cause is insufficient escaping of the wc_filter_price_meta[where] parameter combined with the absence of $wpdb->prepare() placeholders on the existing SQL query. The plugin treats array-keyed request input as safe SQL fragments rather than untrusted user data.
Attack Vector
An attacker sends a crafted HTTP request to a WordPress endpoint that triggers the CURCY price filter logic. The malicious payload is supplied through the wc_filter_price_meta[where] parameter and appended to the executing SQL statement. Techniques such as UNION SELECT injection or time-based blind injection extract data from wp_users, wp_usermeta, and WooCommerce order tables. See the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2024-13320
Indicators of Compromise
- HTTP requests containing the wc_filter_price_meta[where] parameter with SQL keywords such as UNION, SELECT, SLEEP, or BENCHMARK
- Unusual outbound database query latency correlated with WooCommerce filter requests
- WordPress access logs showing unauthenticated requests to WooCommerce shop or product archive endpoints with encoded SQL payloads
- Unexpected reads against wp_users and wp_usermeta tables from the WordPress database user
Detection Strategies
- Inspect WordPress and web server access logs for the wc_filter_price_meta parameter containing SQL metacharacters such as single quotes, comments, or parentheses
- Deploy a web application firewall rule that flags SQL keywords inside the wc_filter_price_meta[where] parameter
- Enable MySQL general query logging on development and staging environments to baseline legitimate plugin queries
- Monitor for anomalous query patterns targeting wp_users, wp_usermeta, and wp_options originating from WooCommerce request handlers
Monitoring Recommendations
- Forward WordPress access logs and MySQL audit logs to a centralized SIEM for correlation
- Alert on HTTP 500 responses tied to WooCommerce filter endpoints, which often indicate failed injection probes
- Track plugin version inventory across WordPress installations and flag any site running CURCY at version 2.3.6 or earlier
How to Mitigate CVE-2024-13320
Immediate Actions Required
- Update the CURCY - WooCommerce Multi Currency plugin to the latest version released after 2.3.6
- Audit WordPress and WooCommerce databases for evidence of unauthorized read access
- Rotate WordPress administrator passwords, API keys, and WooCommerce secrets if exploitation is suspected
- Block requests containing the wc_filter_price_meta[where] parameter at the WAF until patching is confirmed
Patch Information
The vendor distributes CURCY through CodeCanyon. Site operators must download and install the patched release that supersedes version 2.3.6. Review the Wordfence Vulnerability Report for fixed version details.
Workarounds
- Deactivate the CURCY plugin until a patched version is installed
- Deploy a WAF signature blocking SQL metacharacters in the wc_filter_price_meta parameter
- Restrict the WordPress database user to least-privilege read scope where feasible to limit injection impact
- Place WooCommerce shop endpoints behind authentication or IP allow-listing on non-public storefronts
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
