CVE-2024-13487 CURCY – Multi Currency for WooCommerce <= 2.2.5 - Unauthenticated Arbitrary Shortcode Execution via get_products_price Function

🗓️ 06 Feb 2025 06:53:40Reported by WordfenceType

CURCY for WooCommerce allows arbitrary shortcode execution by unauthenticated attackers in versions ≤ 2.2.5.

Reporter	Title	Published	Views	Family All 10
Circl	CVE-2024-13487	6 Feb 202506:58	–	circl
CNNVD	WordPress plugin CURCY 代码注入漏洞	6 Feb 202500:00	–	cnnvd
CVE	CVE-2024-13487	6 Feb 202506:53	–	cve
EUVD	EUVD-2024-51626	3 Oct 202520:07	–	euvd
NVD	CVE-2024-13487	6 Feb 202507:15	–	nvd
Patchstack	WordPress CURCY – Multi Currency for WooCommerce plugin <= 2.2.5 - Unauthenticated Arbitrary Shortcode Execution via get_products_price Function vulnerability	5 Feb 202521:59	–	patchstack
Positive Technologies	PT-2025-5801 · Woocommerce · Curcy – Multi Currency For Woocommerce	6 Feb 202500:00	–	ptsecurity
RedhatCVE	CVE-2024-13487	8 Feb 202507:26	–	redhatcve
Vulnrichment	CVE-2024-13487 CURCY – Multi Currency for WooCommerce <= 2.2.5 - Unauthenticated Arbitrary Shortcode Execution via get_products_price Function	6 Feb 202506:53	–	vulnrichment
Wordfence Blog	Wordfence Intelligence Weekly WordPress Vulnerability Report (February 3, 2025 to February 9, 2025)	13 Feb 202515:34	–	wordfence

[
  {
    "vendor": "villatheme",
    "product": "CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x",
    "versions": [
      {
        "version": "0",
        "status": "affected",
        "lessThanOrEqual": "2.2.5",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unaffected"
  }
]

Source	Link
plugins	www.plugins.trac.wordpress.org/changeset/3234505/
wordfence	www.wordfence.com/threat-intel/vulnerabilities/id/d630dd85-0169-4582-a8ae-54e5053425ac
plugins	www.plugins.trac.wordpress.org/browser/woo-multi-currency/trunk/frontend/cache.php
wordpress	www.wordpress.org/plugins/woo-multi-currency/

08 Apr 2026 17:26Current

CVSS 3.17.3

EPSS0.00251

CWE-94