CVE-2024-31920 in Currency per Product for WooCommerce Plugin
Summary
by MITRE • 04/15/2024
Cross-Site Request Forgery (CSRF) vulnerability in Tyche Softwares Currency per Product for WooCommerce.This issue affects Currency per Product for WooCommerce: from n/a through 1.6.0.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 04/06/2025
The CVE-2024-31920 vulnerability represents a critical Cross-Site Request Forgery flaw within the Tyche Softwares Currency per Product for WooCommerce plugin, a widely used extension for WordPress e-commerce platforms. This vulnerability exposes online stores to unauthorized administrative actions that can be executed without user consent, potentially leading to significant financial and operational damage. The affected plugin version range spans from an unspecified initial version through 1.6.0, indicating a prolonged period during which systems remained susceptible to exploitation. The vulnerability specifically impacts WooCommerce stores that rely on this currency conversion functionality, making it particularly concerning for businesses handling international transactions and multiple currency support.
The technical implementation of this CSRF vulnerability stems from insufficient validation of request origins and lack of proper anti-forgery tokens within the plugin's administrative interfaces. When administrators perform currency conversion operations or modify currency settings through the WooCommerce dashboard, the plugin fails to adequately verify that requests originate from legitimate administrative sessions. This absence of proper CSRF protection mechanisms allows attackers to craft malicious requests that appear to come from authenticated admin users, exploiting the trust relationship between the web application and its administrators. The vulnerability operates at the application layer, specifically targeting the plugin's administrative endpoints that handle currency configuration changes, making it particularly dangerous for e-commerce operations where currency settings directly impact transaction processing and financial integrity.
The operational impact of this vulnerability extends beyond simple data manipulation to encompass potential financial fraud and system compromise. Attackers could exploit this flaw to modify currency conversion rates, potentially leading to unauthorized financial transactions, revenue loss, or manipulation of pricing structures. The vulnerability also creates opportunities for broader system compromise, as currency configuration changes can affect payment processing, tax calculations, and inventory management systems within the WooCommerce ecosystem. Organizations using this plugin may experience unauthorized modifications to their store's financial settings, potentially resulting in significant monetary losses and reputational damage. The vulnerability's persistence across multiple versions suggests that numerous WooCommerce installations may remain exposed, creating a widespread attack surface for threat actors targeting e-commerce platforms.
Mitigation strategies for CVE-2024-31920 should prioritize immediate plugin updates to versions that address the CSRF implementation flaws, while organizations should implement additional defensive measures including web application firewalls, proper input validation, and enhanced monitoring of administrative activities. The vulnerability aligns with CWE-352, which specifically addresses Cross-Site Request Forgery weaknesses in web applications, and corresponds to ATT&CK technique T1078.004 for valid accounts and T1566.002 for spearphishing via links, as attackers could leverage this vulnerability to escalate privileges and gain unauthorized access to administrative functions. Organizations should also consider implementing multi-factor authentication for administrative accounts and conducting regular security audits of their WordPress plugin ecosystem to identify and remediate similar vulnerabilities. The incident underscores the critical importance of maintaining up-to-date security patches and implementing robust access controls for e-commerce platforms handling sensitive financial data and user information.