CVE-2023-49840: 
WordPress vulnerability analysis and mitigation

A Cross-Site Request Forgery (CSRF) vulnerability was discovered in Palscode's Multi Currency For WooCommerce plugin, affecting versions up to 1.5.5. The vulnerability was initially reported on August 24, 2023, by researcher Nguyen Xuan Chien and was publicly disclosed on December 6, 2023 (Patchstack).

The vulnerability stems from missing or incorrect nonce validation on an unknown function within the plugin. It has been assigned CVE-2023-49840 and is classified as CWE-352 (Cross-Site Request Forgery). The vulnerability received varying CVSS scores: NIST assigned a high severity score of 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H), while Patchstack rated it as medium severity with a score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) (NVD, WPScan).

The vulnerability allows unauthenticated attackers to perform unauthorized actions by tricking site administrators into performing specific actions, such as clicking on malicious links. This could potentially lead to unauthorized modifications or actions being executed with administrator privileges (WPScan).

The vulnerability has been fixed in version 1.5.6 of the Multi Currency For WooCommerce plugin. Users are advised to update to this version or later to remove the vulnerability. Patchstack users can enable auto-update for vulnerable plugins as an additional security measure (Patchstack).