CVE-2024-13487: CURCY WooCommerce Plugin RCE Vulnerability

CVE-2024-13487 Overview

CVE-2024-13487 is an arbitrary shortcode execution vulnerability in the CURCY – Multi Currency for WooCommerce plugin for WordPress. The flaw affects all plugin versions up to and including 2.2.5. The vulnerability resides in the get_products_price() function, which passes unvalidated user-supplied values to WordPress's do_shortcode() function. Unauthenticated attackers can exploit the issue remotely over the network without user interaction. The weakness is classified as Improper Control of Generation of Code [CWE-94].

Critical Impact

Unauthenticated attackers can execute arbitrary WordPress shortcodes on vulnerable sites, potentially abusing legitimate shortcodes to disclose information, manipulate content, or pivot to further attacks against the WooCommerce store.

Affected Products

• CURCY – Multi Currency for WooCommerce plugin for WordPress
• All versions up to and including 2.2.5
• WordPress sites running WooCommerce 9.x with the affected plugin enabled

Discovery Timeline

• 2025-02-06 - CVE-2024-13487 published to NVD
• 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-13487

Vulnerability Analysis

The CURCY – Multi Currency for WooCommerce plugin exposes a frontend action that invokes the get_products_price() function defined in frontend/cache.php. This function accepts user-controlled input and passes it directly to WordPress's do_shortcode() function without validating that the supplied value is an expected shortcode or originates from an authorized source. WordPress shortcodes are server-side macros that execute PHP callbacks. By controlling the input passed to do_shortcode(), an attacker can invoke any shortcode registered on the target site, including those provided by other installed plugins or themes. The impact depends on the shortcodes available on the target installation but can include sensitive content disclosure, output manipulation, or abuse of administrative shortcodes.

Root Cause

The root cause is missing input validation before invoking do_shortcode(). The plugin assumes the input represents a benign price-related value, but no allow-list or syntactic check enforces that assumption. This pattern is a classic instance of CWE-94, Improper Control of Generation of Code.

Attack Vector

Exploitation occurs over the network against the WordPress site's public frontend. The attacker sends a crafted request that reaches the get_products_price() handler, embedding arbitrary shortcode syntax in the parameter that the function forwards to do_shortcode(). No authentication, privileges, or user interaction are required. The full list of usable shortcodes depends on the plugins and themes installed alongside CURCY. Technical details and the patched code are available in the WordPress Change Set #3234505 and the Wordfence Vulnerability Report.

Detection Methods for CVE-2024-13487

Indicators of Compromise

• HTTP requests to WordPress admin-ajax or frontend endpoints containing shortcode syntax such as [ and ] characters in unexpected parameters tied to the woo-multi-currency plugin.
• Unusual responses from the CURCY plugin's price-related AJAX actions that contain content from unrelated shortcodes.
• Web server access logs showing repeated unauthenticated POST or GET requests targeting the plugin's frontend handlers.

Detection Strategies

• Inspect web application firewall (WAF) logs for requests carrying shortcode markup in parameters consumed by the CURCY plugin.
• Audit installed WordPress plugins for versions of woo-multi-currency at or below 2.2.5 and flag them as vulnerable.
• Correlate plugin endpoint traffic with anomalous response sizes that suggest unintended shortcode rendering.

Monitoring Recommendations

• Enable verbose logging on WordPress AJAX and frontend handlers exposed by the CURCY plugin.
• Monitor outbound network requests from the WordPress host that could indicate shortcode-driven server-side actions.
• Track new file creation, scheduled task changes, and option modifications in the WordPress database following exploitation attempts.

How to Mitigate CVE-2024-13487

Immediate Actions Required

• Upgrade the CURCY – Multi Currency for WooCommerce plugin to a version newer than 2.2.5 that includes the fix shipped in WordPress Change Set #3234505.
• If an upgrade cannot be applied immediately, deactivate and remove the plugin until a patched release is installed.
• Review WordPress and WooCommerce logs for prior exploitation attempts referencing the plugin's frontend handlers.

Patch Information

The vendor addressed the issue by adding validation around the value passed to do_shortcode() within get_products_price(). The fix is published in the plugin's source repository and tracked in WordPress Change Set #3234505. Refer to the Woo Multi Currency Plugin Info page for the latest release and the WordPress Plugin Code Reference for the affected code path.

Workarounds

• Deploy a WAF rule that blocks requests to the CURCY plugin's frontend endpoints when parameters contain [ or ] shortcode delimiters.
• Restrict access to the WordPress AJAX endpoints used by the plugin through IP allow-listing where feasible.
• Audit installed plugins and themes to minimize the set of registered shortcodes that an attacker could invoke.

# Example WAF rule (ModSecurity) to block shortcode syntax in CURCY parameters
SecRule REQUEST_URI "@contains woo-multi-currency" \
    "chain,deny,status:403,id:1004873,msg:'Block CVE-2024-13487 shortcode injection attempt'"
    SecRule ARGS "@rx \[[a-zA-Z0-9_\-]+.*\]" "t:none"