A BUG was found in the e-commerce platform plug-in! Can shoppers change the price by themselves?

WooCommerce is a popular e-commerce platform with over 150 million downloads, powering nearly 35% of online stores worldwide.

The vulnerability was discovered in a multi-currency plugin that allows retailers to set pricing for global shoppers. The plugin automatically detects the customer's geographic location and displays pricing in the customer's local currency, either by manually setting the exchange rate or automatically setting it based on the current exchange rate .

Security flaw can be exploited by malicious CSV files

According to Ninja Technologies, the vulnerability appears in plugin v2.1.17 and below, and affects the "Import Fixed Price" feature, which allows users to set custom prices, thereby overriding any prices that are automatically converted based on exchange rates.

Hackers could exploit the vulnerability by uploading a specially crafted CSV file to the website that uses the items' current currency prices and product IDs, allowing them to change the price of one or more products.

It is reported that the vulnerability has a great impact on online stores selling digital products. Since hackers will not change product prices directly in the background, store operators are unlikely to immediately discover abnormalities, so it is important to verify each order.

At the same time, to avoid being affected, website administrators should update the plugin to the latest version v2.1.18, which adds a security patch to fix the vulnerability.

Network security needs to attract the attention of relevant practitioners

According to the editor, this is not the first time that the WooCommerce platform plugin has had problems. In July this year , a vulnerability was discovered that tricked the server into executing malicious SQL commands, which allowed unauthenticated hackers to steal customer data, bank cards, employee credentials and other information from the online store's database.

In late August, a security vulnerability in a dynamic pricing and discount plugin on the platform was also disclosed, which allowed unauthenticated hackers to inject malicious code into websites running an unpatched version of the plugin. The vulnerability could lead to various attacks, including redirecting websites to phishing pages, inserting malicious scripts on product pages, and more.

Information security is very important in the Internet age, especially for e-commerce practitioners. The editor would like to remind relevant sellers to purchase operation plug-ins from regular platforms and pay more attention to store operations and platform news to avoid unnecessary losses.

E-commerce platform

Independent website