Critical vulnerability in Currency Switcher for WooCommerce

During one of our penetration tests we have found a critical security vulnerability in Currency Switcher for WooCommerce – the new, improved, version is out so upgrade ASAP

Our intrepid researcher Luka Sikic was exploring a Currency Switcher a popular plugin for WooCommerce with more than 5000 installations on WordPress. It has features like automatic currency exchange rates updates, prices on per product basis, currency by country...

During one of our latest penetration tests we had a chance to attack a webshop using the beforementioned plugin and Luka found a critical vulnerability. To make a long story short, in version 2.11.1 and earlier we could force a currency that isn't enabled in the settings and basically do a conversion in a currency that is valued less to get a product for a fraction of a price.

We have notified the developer of the plugin, WP Wham, who reacted swiftly and remedied the problem. The new version of the plugin, 2.11.2, is bug free so we urge all users to switch to that one.

Vulnerability got an official CVE-ID - CVE-2019-18668.