{"api_version":"1","generated_at":"2026-05-13T16:22:21+00:00","cve":"CVE-2021-4376","urls":{"html":"https://cve.report/CVE-2021-4376","api":"https://cve.report/api/cve/CVE-2021-4376.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2021-4376","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2021-4376"},"summary":{"title":"WooCommerce Multi Currency <= 2.1.17 - Missing Authorization","description":"The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization  in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2023-06-07 02:15:15","updated_at":"2026-04-08 19:17:42"},"problem_types":["CWE-862","CWE-862 CWE-862 Missing Authorization"],"metrics":[{"version":"3.1","source":"nvd@nist.gov","type":"Primary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"4.3","severity":"MEDIUM","vector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","data":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/d8a490c6-14c1-4c71-b44c-1e362cc892a8?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/d8a490c6-14c1-4c71-b44c-1e362cc892a8?source=cve","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"WooCommerce Multi Currency <= 2.1.17 - Missing Authorization","mime":"text/html","httpstatus":"200","archivestatus":"404"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2734576%40woo-multi-currency&new=2734576%40woo-multi-currency&sfp_email=&sfph_mail=","name":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2734576%40woo-multi-currency&new=2734576%40woo-multi-currency&sfp_email=&sfph_mail=","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Patch"],"title":"403 Forbidden","mime":"text/html","httpstatus":"403","archivestatus":"404"},{"url":"https://wordpress.org/plugins/woo-multi-currency/#developers","name":"https://wordpress.org/plugins/woo-multi-currency/#developers","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Product"],"title":"CURCY – Multi Currency for WooCommerce – The best free currency exchange plugin – Run smoothly on WooCommerce 5.x – WordPress plugin | WordPress.org","mime":"text/html","httpstatus":"200","archivestatus":"200"},{"url":"https://wpscan.com/vulnerability/480125bc-bab3-45b8-9325-a4d406655a61","name":"https://wpscan.com/vulnerability/480125bc-bab3-45b8-9325-a4d406655a61","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"WooCommerce Multi Currency < 2.1.18 - Authenticated Product Price Change WordPress Security Vulnerability","mime":"text/html","httpstatus":"403","archivestatus":"200"},{"url":"https://www.cve.org/CVERecord?id=CVE-2021-4376","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2021-4376","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"villatheme","product":"CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x","version":"affected 2.1.17 semver","platforms":[]}],"timeline":[{"source":"CNA","time":"2021-09-13T00:00:00.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Jerome Bruandet","lang":"en"}],"nvd_cpes":[{"cve_year":"2021","cve_id":"4376","vulnerable":"1","versionEndIncluding":"2.1.17","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"palscode","cpe5":"woocommerce_multi_currency","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2021","cve_id":"4376","cve":"CVE-2021-4376","epss":"0.000870000","percentile":"0.250250000","score_date":"2026-04-09","updated_at":"2026-04-10 00:07:03"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"providerMetadata":{"dateUpdated":"2024-08-03T17:23:10.719Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/d8a490c6-14c1-4c71-b44c-1e362cc892a8?source=cve"},{"tags":["x_transferred"],"url":"https://wpscan.com/vulnerability/480125bc-bab3-45b8-9325-a4d406655a61"},{"tags":["x_transferred"],"url":"https://wordpress.org/plugins/woo-multi-currency/#developers"},{"tags":["x_transferred"],"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2734576%40woo-multi-currency&new=2734576%40woo-multi-currency&sfp_email=&sfph_mail="}],"title":"CVE Program Container"},{"metrics":[{"other":{"content":{"id":"CVE-2021-4376","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","timestamp":"2024-12-20T23:26:59.952955Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-12-20T23:50:01.341Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x","vendor":"villatheme","versions":[{"lessThanOrEqual":"2.1.17","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Jerome Bruandet"}],"descriptions":[{"lang":"en","value":"The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization  in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value."}],"metrics":[{"cvssV3_1":{"baseScore":4.3,"baseSeverity":"MEDIUM","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-862","description":"CWE-862 Missing Authorization","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T17:26:55.408Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/d8a490c6-14c1-4c71-b44c-1e362cc892a8?source=cve"},{"url":"https://wpscan.com/vulnerability/480125bc-bab3-45b8-9325-a4d406655a61"},{"url":"https://wordpress.org/plugins/woo-multi-currency/#developers"},{"url":"https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2734576%40woo-multi-currency&new=2734576%40woo-multi-currency&sfp_email=&sfph_mail="}],"timeline":[{"lang":"en","time":"2021-09-13T00:00:00.000Z","value":"Disclosed"}],"title":"WooCommerce Multi Currency <= 2.1.17 - Missing Authorization"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2021-4376","datePublished":"2023-06-07T01:51:46.083Z","dateReserved":"2023-06-06T13:20:38.952Z","dateUpdated":"2026-04-08T17:26:55.408Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2023-06-07 02:15:15","lastModifiedDate":"2026-04-08 19:17:42","problem_types":["CWE-862","CWE-862 CWE-862 Missing Authorization"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N","baseScore":4.3,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":1.4}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:palscode:woocommerce_multi_currency:*:*:*:*:*:wordpress:*:*","versionEndIncluding":"2.1.17","matchCriteriaId":"D6D7C538-84BC-4A9A-9672-C4A1A5ACCAC4"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2021","CveId":"4376","Ordinal":"1","Title":"WooCommerce Multi Currency <= 2.1.17 - Missing Authorization","CVE":"CVE-2021-4376","Year":"2021"},"notes":[{"CveYear":"2021","CveId":"4376","Ordinal":"1","NoteData":"The WooCommerce Multi Currency plugin for WordPress is vulnerable to Missing Authorization  in versions up to, and including, 2.1.17. This makes it possible for authenticated attackers to change the price of a product to an arbitrary value.","Type":"Description","Title":"WooCommerce Multi Currency <= 2.1.17 - Missing Authorization"}]}}}