Search

Find a vulnerability

Search criteria

    14 vulnerabilities found for FOX – Currency Switcher Professional for WooCommerce by realmag777

    CVE-2026-9241 (GCVE-0-2026-9241)

    Vulnerability from nvd – Published: 2026-05-28 03:27 – Updated: 2026-05-28 10:37
    VLAI
    Title
    FOX – Currency Switcher Professional for WooCommerce <= 1.4.6 - Authenticated (Subscriber+) Authorization Bypass via User-Controlled Key to 'wooc_order_user_roles' Parameter
    Summary
    The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the `get_value()` function in `classes/fixed/fixed_user_role.php` trusting the attacker-controlled `$_REQUEST['wooc_order_user_roles']` parameter to determine the user's role context for role-based price resolution without any validation, allowing it to override the legitimate role data derived from the authenticated user's session object via `$user->roles`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate higher-privileged roles — such as wholesale customer or administrator — and obtain discounted or otherwise restricted pricing that should not be available to their actual role. This vulnerability only has practical impact when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    Long Lagon
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9241",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-28T10:26:17.893238Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T10:37:45.822Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FOX \u2013 Currency Switcher Professional for WooCommerce",
              "vendor": "realmag777",
              "versions": [
                {
                  "lessThanOrEqual": "1.4.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Long Lagon"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The FOX \u2013 Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the `get_value()` function in `classes/fixed/fixed_user_role.php` trusting the attacker-controlled `$_REQUEST[\u0027wooc_order_user_roles\u0027]` parameter to determine the user\u0027s role context for role-based price resolution without any validation, allowing it to override the legitimate role data derived from the authenticated user\u0027s session object via `$user-\u003eroles`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate higher-privileged roles \u2014 such as wholesale customer or administrator \u2014 and obtain discounted or otherwise restricted pricing that should not be available to their actual role. This vulnerability only has practical impact when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-28T03:27:27.160Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c8c1fec-0e87-46f7-83c5-8f9e9aa97b4f?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/fixed/fixed_user_role.php#L228"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/fixed/fixed_user_role.php#L229"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/woocs.php#L2271"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3543524%40woocommerce-currency-switcher\u0026new=3543524%40woocommerce-currency-switcher\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-21T19:14:07.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-27T14:49:48.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "FOX \u2013 Currency Switcher Professional for WooCommerce \u003c= 1.4.6 - Authenticated (Subscriber+) Authorization Bypass via User-Controlled Key to \u0027wooc_order_user_roles\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-9241",
        "datePublished": "2026-05-28T03:27:27.160Z",
        "dateReserved": "2026-05-21T18:57:33.435Z",
        "dateUpdated": "2026-05-28T10:37:45.822Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4094 (GCVE-0-2026-4094)

    Vulnerability from nvd – Published: 2026-05-15 06:45 – Updated: 2026-05-15 11:25
    VLAI
    Title
    FOX – Currency Switcher Professional for WooCommerce <= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Configuration Deletion
    Summary
    The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'admin_head' function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete the entire multi-currency configuration by visiting any wp-admin page with the `woocs_reset` parameter appended. Additionally, because no nonce is verified, this is also exploitable via Cross-Site Request Forgery against any administrator. The vulnerability may also be exploited by Subscriber-level users if the site is configured to allow Subscriber access to 'wp-admin' pages.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Ren Voza
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4094",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-15T11:25:48.127326Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-15T11:25:58.454Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FOX \u2013 Currency Switcher Professional for WooCommerce",
              "vendor": "realmag777",
              "versions": [
                {
                  "lessThanOrEqual": "1.4.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ren Voza"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The FOX \u2013 Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the \u0027admin_head\u0027 function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete the entire multi-currency configuration by visiting any wp-admin page with the `woocs_reset` parameter appended. Additionally, because no nonce is verified, this is also exploitable via Cross-Site Request Forgery against any administrator. The vulnerability may also be exploited by Subscriber-level users if the site is configured to allow Subscriber access to \u0027wp-admin\u0027 pages."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-15T06:45:58.221Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6eb9d68c-c081-484e-ad5d-5eabcfa6d6f0?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/woocs.php#L1167"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/woocs.php#L1168"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3483839/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-12T23:02:13.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-14T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "FOX \u2013 Currency Switcher Professional for WooCommerce \u003c= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Configuration Deletion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-4094",
        "datePublished": "2026-05-15T06:45:58.221Z",
        "dateReserved": "2026-03-12T22:46:10.355Z",
        "dateUpdated": "2026-05-15T11:25:58.454Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10640 (GCVE-0-2024-10640)

    Vulnerability from nvd – Published: 2024-11-09 11:19 – Updated: 2026-04-08 17:24
    VLAI
    Title
    The FOX – Currency Switcher Professional for WooCommerce <= 1.4.2.2 - Unauthenticated Arbitrary Shortcode Execution
    Summary
    The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    realmag777 FOX – Currency Switcher Professional for WooCommerce Affected: 0 , ≤ 1.4.2.2 (semver)
    Create a notification for this product.
    realmag777 fox-currency_switcher_professional Affected: 0 , ≤ 1.4.2.2 (semver)
        cpe:2.3:a:realmag777:fox-currency_switcher_professional:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Michael Mazzolini
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:realmag777:fox-currency_switcher_professional:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "fox-currency_switcher_professional",
                "vendor": "realmag777",
                "versions": [
                  {
                    "lessThanOrEqual": "1.4.2.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10640",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-11T16:10:56.580160Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-11T16:11:00.337Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FOX \u2013 Currency Switcher Professional for WooCommerce",
              "vendor": "realmag777",
              "versions": [
                {
                  "lessThanOrEqual": "1.4.2.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Michael Mazzolini"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The The FOX \u2013 Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:24:29.761Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ceb0dffa-02a2-4193-b2c4-4774091eacfa?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3183018%40woocommerce-currency-switcher\u0026old=3178647%40woocommerce-currency-switcher\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-31T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-11-08T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "The FOX \u2013 Currency Switcher Professional for WooCommerce \u003c= 1.4.2.2 - Unauthenticated Arbitrary Shortcode Execution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-10640",
        "datePublished": "2024-11-09T11:19:44.210Z",
        "dateReserved": "2024-10-31T19:13:43.412Z",
        "dateUpdated": "2026-04-08T17:24:29.761Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-8271 (GCVE-0-2024-8271)

    Vulnerability from nvd – Published: 2024-09-14 02:04 – Updated: 2026-04-08 17:28
    VLAI
    Title
    FOX – Currency Switcher Professional for WooCommerce <= 1.4.2.1 - Unauthenticated Arbitrary Shortcode Execution
    Summary
    The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode in the 'woocs_get_custom_price_html' function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    realmag777 FOX – Currency Switcher Professional for WooCommerce Affected: 0 , ≤ 1.4.2.1 (semver)
    Create a notification for this product.
    realmag777 fox-currency_switcher_professional Affected: 0 , ≤ 1.4.2.1 (custom)
        cpe:2.3:a:realmag777:fox-currency_switcher_professional:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Arkadiusz Hydzik
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:realmag777:fox-currency_switcher_professional:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "fox-currency_switcher_professional",
                "vendor": "realmag777",
                "versions": [
                  {
                    "lessThanOrEqual": "1.4.2.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8271",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-16T18:31:03.839726Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-16T18:32:13.070Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FOX \u2013 Currency Switcher Professional for WooCommerce",
              "vendor": "realmag777",
              "versions": [
                {
                  "lessThanOrEqual": "1.4.2.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Arkadiusz Hydzik"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The The FOX \u2013 Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode in the \u0027woocs_get_custom_price_html\u0027 function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:28:24.731Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dec51bd6-2ffe-47b6-9423-6131395bf439?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/tags/1.4.2.1/classes/woocs.php#L4604"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3150596%40woocommerce-currency-switcher\u0026new=3150596%40woocommerce-currency-switcher\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-13T13:27:43.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "FOX \u2013 Currency Switcher Professional for WooCommerce \u003c= 1.4.2.1 - Unauthenticated Arbitrary Shortcode Execution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-8271",
        "datePublished": "2024-09-14T02:04:21.236Z",
        "dateReserved": "2024-08-28T17:39:00.721Z",
        "dateUpdated": "2026-04-08T17:28:24.731Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-3734 (GCVE-0-2024-3734)

    Vulnerability from nvd – Published: 2024-05-02 16:52 – Updated: 2026-04-08 16:51
    VLAI
    Title
    FOX – Currency Switcher Professional for WooCommerce <= 1.4.1.8 - Unauthenticated Arbitrary Shortcode Execution
    Summary
    The FOX – Currency Switcher Professional for WooCommerce plugin is vulnerable to Unauthenticated Arbitrary Shortcode Execution in versions up to, and including, 1.4.1.8. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on what other plugins are installed and what shortcode functionality they provide.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    realmag777 FOX – Currency Switcher Professional for WooCommerce Affected: 0 , ≤ 1.4.1.8 (semver)
    Create a notification for this product.
    pluginus fox_-_currency_switcher_professional_for_woocommerce Affected: 0 , ≤ 1.4.1.8 (semver)
        cpe:2.3:a:pluginus:fox_-_currency_switcher_professional_for_woocommerce:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Credits
    Matthew Rollings
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:pluginus:fox_-_currency_switcher_professional_for_woocommerce:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "affected",
                "product": "fox_-_currency_switcher_professional_for_woocommerce",
                "vendor": "pluginus",
                "versions": [
                  {
                    "lessThanOrEqual": "1.4.1.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3734",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-17T15:25:10.557175Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-11T14:11:27.580Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:20:00.902Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c1d49d0-c9aa-401c-80b9-d4df7fe97691?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/woocs.php#L4154"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3072307%40woocommerce-currency-switcher%2Ftrunk\u0026old=3049249%40woocommerce-currency-switcher%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FOX \u2013 Currency Switcher Professional for WooCommerce",
              "vendor": "realmag777",
              "versions": [
                {
                  "lessThanOrEqual": "1.4.1.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthew Rollings"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The FOX \u2013 Currency Switcher Professional for WooCommerce plugin is vulnerable to Unauthenticated Arbitrary Shortcode Execution in versions up to, and including, 1.4.1.8. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on what other plugins are installed and what shortcode functionality they provide."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:51:09.984Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c1d49d0-c9aa-401c-80b9-d4df7fe97691?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/woocs.php#L4154"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3072307%40woocommerce-currency-switcher%2Ftrunk\u0026old=3049249%40woocommerce-currency-switcher%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-24T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "FOX \u2013 Currency Switcher Professional for WooCommerce \u003c= 1.4.1.8 - Unauthenticated Arbitrary Shortcode Execution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-3734",
        "datePublished": "2024-05-02T16:52:03.882Z",
        "dateReserved": "2024-04-12T19:05:30.362Z",
        "dateUpdated": "2026-04-08T16:51:09.984Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-6556 (GCVE-0-2023-6556)

    Vulnerability from nvd – Published: 2024-01-11 08:32 – Updated: 2026-04-08 17:06
    VLAI
    Title
    FOX – Currency Switcher Professional for WooCommerce <= 1.4.1.6 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
    Summary
    The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via currency options in all versions up to, and including, 1.4.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Lucio Sá
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:35:13.750Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8cb37019-33f6-4f72-adfc-befbfbf69e47?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/smart-designer.php#L21"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/smart-designer.php#L120"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3012135%40woocommerce-currency-switcher\u0026new=3012135%40woocommerce-currency-switcher\u0026sfp_email=\u0026sfph_mail="
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6556",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-18T01:28:46.604334Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T21:09:13.286Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FOX \u2013 Currency Switcher Professional for WooCommerce",
              "vendor": "realmag777",
              "versions": [
                {
                  "lessThanOrEqual": "1.4.1.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lucio S\u00e1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The FOX \u2013 Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via currency options in all versions up to, and including, 1.4.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:06:05.531Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8cb37019-33f6-4f72-adfc-befbfbf69e47?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/smart-designer.php#L21"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/smart-designer.php#L120"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3012135%40woocommerce-currency-switcher\u0026new=3012135%40woocommerce-currency-switcher\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-12-23T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "FOX \u2013 Currency Switcher Professional for WooCommerce \u003c= 1.4.1.6 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-6556",
        "datePublished": "2024-01-11T08:32:45.695Z",
        "dateReserved": "2023-12-06T14:39:21.279Z",
        "dateUpdated": "2026-04-08T17:06:05.531Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-49834 (GCVE-0-2023-49834)

    Vulnerability from nvd – Published: 2023-12-17 10:38 – Updated: 2026-04-28 16:08
    VLAI
    Title
    WordPress WOOCS – WooCommerce Currency Switcher Plugin <= 1.4.1.4 is vulnerable to Cross Site Request Forgery (CSRF)
    Summary
    Cross-Site Request Forgery (CSRF) vulnerability in realmag777 FOX – Currency Switcher Professional for WooCommerce.This issue affects FOX – Currency Switcher Professional for WooCommerce: from n/a through 1.4.1.4.
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Credits
    Brandon Roldan (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:01:26.093Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/woocommerce-currency-switcher/wordpress-fox-currency-switcher-professional-for-woocommerce-plugin-1-4-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "woocommerce-currency-switcher",
              "product": "FOX \u2013 Currency Switcher Professional for WooCommerce",
              "vendor": "realmag777",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.4.1.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.4.1.4",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Brandon Roldan (Patchstack Alliance)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Cross-Site Request Forgery (CSRF) vulnerability in realmag777 FOX \u2013 Currency Switcher Professional for WooCommerce.\u003cp\u003eThis issue affects FOX \u2013 Currency Switcher Professional for WooCommerce: from n/a through 1.4.1.4.\u003c/p\u003e"
                }
              ],
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in realmag777 FOX \u2013 Currency Switcher Professional for WooCommerce.This issue affects FOX \u2013 Currency Switcher Professional for WooCommerce: from n/a through 1.4.1.4."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:08:58.315Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/woocommerce-currency-switcher/wordpress-fox-currency-switcher-professional-for-woocommerce-plugin-1-4-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to\u00a01.4.1.5 or a higher version."
                }
              ],
              "value": "Update to\u00a01.4.1.5 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress WOOCS \u2013 WooCommerce Currency Switcher Plugin \u003c= 1.4.1.4 is vulnerable to Cross Site Request Forgery (CSRF)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2023-49834",
        "datePublished": "2023-12-17T10:38:49.072Z",
        "dateReserved": "2023-11-30T17:12:29.821Z",
        "dateUpdated": "2026-04-28T16:08:58.315Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9241 (GCVE-0-2026-9241)

    Vulnerability from cvelistv5 – Published: 2026-05-28 03:27 – Updated: 2026-05-28 10:37
    VLAI
    Title
    FOX – Currency Switcher Professional for WooCommerce <= 1.4.6 - Authenticated (Subscriber+) Authorization Bypass via User-Controlled Key to 'wooc_order_user_roles' Parameter
    Summary
    The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the `get_value()` function in `classes/fixed/fixed_user_role.php` trusting the attacker-controlled `$_REQUEST['wooc_order_user_roles']` parameter to determine the user's role context for role-based price resolution without any validation, allowing it to override the legitimate role data derived from the authenticated user's session object via `$user->roles`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate higher-privileged roles — such as wholesale customer or administrator — and obtain discounted or otherwise restricted pricing that should not be available to their actual role. This vulnerability only has practical impact when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    Long Lagon
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9241",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-28T10:26:17.893238Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-28T10:37:45.822Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FOX \u2013 Currency Switcher Professional for WooCommerce",
              "vendor": "realmag777",
              "versions": [
                {
                  "lessThanOrEqual": "1.4.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Long Lagon"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The FOX \u2013 Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the `get_value()` function in `classes/fixed/fixed_user_role.php` trusting the attacker-controlled `$_REQUEST[\u0027wooc_order_user_roles\u0027]` parameter to determine the user\u0027s role context for role-based price resolution without any validation, allowing it to override the legitimate role data derived from the authenticated user\u0027s session object via `$user-\u003eroles`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate higher-privileged roles \u2014 such as wholesale customer or administrator \u2014 and obtain discounted or otherwise restricted pricing that should not be available to their actual role. This vulnerability only has practical impact when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-28T03:27:27.160Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1c8c1fec-0e87-46f7-83c5-8f9e9aa97b4f?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/fixed/fixed_user_role.php#L228"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/fixed/fixed_user_role.php#L229"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/woocs.php#L2271"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3543524%40woocommerce-currency-switcher\u0026new=3543524%40woocommerce-currency-switcher\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-21T19:14:07.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-27T14:49:48.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "FOX \u2013 Currency Switcher Professional for WooCommerce \u003c= 1.4.6 - Authenticated (Subscriber+) Authorization Bypass via User-Controlled Key to \u0027wooc_order_user_roles\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-9241",
        "datePublished": "2026-05-28T03:27:27.160Z",
        "dateReserved": "2026-05-21T18:57:33.435Z",
        "dateUpdated": "2026-05-28T10:37:45.822Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4094 (GCVE-0-2026-4094)

    Vulnerability from cvelistv5 – Published: 2026-05-15 06:45 – Updated: 2026-05-15 11:25
    VLAI
    Title
    FOX – Currency Switcher Professional for WooCommerce <= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Configuration Deletion
    Summary
    The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'admin_head' function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete the entire multi-currency configuration by visiting any wp-admin page with the `woocs_reset` parameter appended. Additionally, because no nonce is verified, this is also exploitable via Cross-Site Request Forgery against any administrator. The vulnerability may also be exploited by Subscriber-level users if the site is configured to allow Subscriber access to 'wp-admin' pages.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    Impacted products
    Credits
    Ren Voza
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4094",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-15T11:25:48.127326Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-15T11:25:58.454Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FOX \u2013 Currency Switcher Professional for WooCommerce",
              "vendor": "realmag777",
              "versions": [
                {
                  "lessThanOrEqual": "1.4.5",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ren Voza"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The FOX \u2013 Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the \u0027admin_head\u0027 function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete the entire multi-currency configuration by visiting any wp-admin page with the `woocs_reset` parameter appended. Additionally, because no nonce is verified, this is also exploitable via Cross-Site Request Forgery against any administrator. The vulnerability may also be exploited by Subscriber-level users if the site is configured to allow Subscriber access to \u0027wp-admin\u0027 pages."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.1,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "CWE-862 Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-15T06:45:58.221Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6eb9d68c-c081-484e-ad5d-5eabcfa6d6f0?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/woocs.php#L1167"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/woocs.php#L1168"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3483839/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-12T23:02:13.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-14T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "FOX \u2013 Currency Switcher Professional for WooCommerce \u003c= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Configuration Deletion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-4094",
        "datePublished": "2026-05-15T06:45:58.221Z",
        "dateReserved": "2026-03-12T22:46:10.355Z",
        "dateUpdated": "2026-05-15T11:25:58.454Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-10640 (GCVE-0-2024-10640)

    Vulnerability from cvelistv5 – Published: 2024-11-09 11:19 – Updated: 2026-04-08 17:24
    VLAI
    Title
    The FOX – Currency Switcher Professional for WooCommerce <= 1.4.2.2 - Unauthenticated Arbitrary Shortcode Execution
    Summary
    The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    realmag777 FOX – Currency Switcher Professional for WooCommerce Affected: 0 , ≤ 1.4.2.2 (semver)
    Create a notification for this product.
    realmag777 fox-currency_switcher_professional Affected: 0 , ≤ 1.4.2.2 (semver)
        cpe:2.3:a:realmag777:fox-currency_switcher_professional:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Michael Mazzolini
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:realmag777:fox-currency_switcher_professional:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unaffected",
                "product": "fox-currency_switcher_professional",
                "vendor": "realmag777",
                "versions": [
                  {
                    "lessThanOrEqual": "1.4.2.2",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-10640",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-11T16:10:56.580160Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-11T16:11:00.337Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FOX \u2013 Currency Switcher Professional for WooCommerce",
              "vendor": "realmag777",
              "versions": [
                {
                  "lessThanOrEqual": "1.4.2.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Michael Mazzolini"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The The FOX \u2013 Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.2. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:24:29.761Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/ceb0dffa-02a2-4193-b2c4-4774091eacfa?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3183018%40woocommerce-currency-switcher\u0026old=3178647%40woocommerce-currency-switcher\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-10-31T00:00:00.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2024-11-08T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "The FOX \u2013 Currency Switcher Professional for WooCommerce \u003c= 1.4.2.2 - Unauthenticated Arbitrary Shortcode Execution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-10640",
        "datePublished": "2024-11-09T11:19:44.210Z",
        "dateReserved": "2024-10-31T19:13:43.412Z",
        "dateUpdated": "2026-04-08T17:24:29.761Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-8271 (GCVE-0-2024-8271)

    Vulnerability from cvelistv5 – Published: 2024-09-14 02:04 – Updated: 2026-04-08 17:28
    VLAI
    Title
    FOX – Currency Switcher Professional for WooCommerce <= 1.4.2.1 - Unauthenticated Arbitrary Shortcode Execution
    Summary
    The The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode in the 'woocs_get_custom_price_html' function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    realmag777 FOX – Currency Switcher Professional for WooCommerce Affected: 0 , ≤ 1.4.2.1 (semver)
    Create a notification for this product.
    realmag777 fox-currency_switcher_professional Affected: 0 , ≤ 1.4.2.1 (custom)
        cpe:2.3:a:realmag777:fox-currency_switcher_professional:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Arkadiusz Hydzik
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:realmag777:fox-currency_switcher_professional:*:*:*:*:*:*:*:*"
                ],
                "defaultStatus": "unknown",
                "product": "fox-currency_switcher_professional",
                "vendor": "realmag777",
                "versions": [
                  {
                    "lessThanOrEqual": "1.4.2.1",
                    "status": "affected",
                    "version": "0",
                    "versionType": "custom"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-8271",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-09-16T18:31:03.839726Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-09-16T18:32:13.070Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FOX \u2013 Currency Switcher Professional for WooCommerce",
              "vendor": "realmag777",
              "versions": [
                {
                  "lessThanOrEqual": "1.4.2.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Arkadiusz Hydzik"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The The FOX \u2013 Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.4.2.1. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode in the \u0027woocs_get_custom_price_html\u0027 function. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:28:24.731Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/dec51bd6-2ffe-47b6-9423-6131395bf439?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/tags/1.4.2.1/classes/woocs.php#L4604"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3150596%40woocommerce-currency-switcher\u0026new=3150596%40woocommerce-currency-switcher\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-09-13T13:27:43.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "FOX \u2013 Currency Switcher Professional for WooCommerce \u003c= 1.4.2.1 - Unauthenticated Arbitrary Shortcode Execution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-8271",
        "datePublished": "2024-09-14T02:04:21.236Z",
        "dateReserved": "2024-08-28T17:39:00.721Z",
        "dateUpdated": "2026-04-08T17:28:24.731Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2024-3734 (GCVE-0-2024-3734)

    Vulnerability from cvelistv5 – Published: 2024-05-02 16:52 – Updated: 2026-04-08 16:51
    VLAI
    Title
    FOX – Currency Switcher Professional for WooCommerce <= 1.4.1.8 - Unauthenticated Arbitrary Shortcode Execution
    Summary
    The FOX – Currency Switcher Professional for WooCommerce plugin is vulnerable to Unauthenticated Arbitrary Shortcode Execution in versions up to, and including, 1.4.1.8. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on what other plugins are installed and what shortcode functionality they provide.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-94 - Improper Control of Generation of Code ('Code Injection')
    Assigner
    Impacted products
    Vendor Product Version
    realmag777 FOX – Currency Switcher Professional for WooCommerce Affected: 0 , ≤ 1.4.1.8 (semver)
    Create a notification for this product.
    pluginus fox_-_currency_switcher_professional_for_woocommerce Affected: 0 , ≤ 1.4.1.8 (semver)
        cpe:2.3:a:pluginus:fox_-_currency_switcher_professional_for_woocommerce:*:*:*:*:*:wordpress:*:*
    Create a notification for this product.
    Credits
    Matthew Rollings
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "affected": [
              {
                "cpes": [
                  "cpe:2.3:a:pluginus:fox_-_currency_switcher_professional_for_woocommerce:*:*:*:*:*:wordpress:*:*"
                ],
                "defaultStatus": "affected",
                "product": "fox_-_currency_switcher_professional_for_woocommerce",
                "vendor": "pluginus",
                "versions": [
                  {
                    "lessThanOrEqual": "1.4.1.8",
                    "status": "affected",
                    "version": "0",
                    "versionType": "semver"
                  }
                ]
              }
            ],
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-3734",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-07-17T15:25:10.557175Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-08-11T14:11:27.580Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          },
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-01T20:20:00.902Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c1d49d0-c9aa-401c-80b9-d4df7fe97691?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/woocs.php#L4154"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3072307%40woocommerce-currency-switcher%2Ftrunk\u0026old=3049249%40woocommerce-currency-switcher%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FOX \u2013 Currency Switcher Professional for WooCommerce",
              "vendor": "realmag777",
              "versions": [
                {
                  "lessThanOrEqual": "1.4.1.8",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Matthew Rollings"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The FOX \u2013 Currency Switcher Professional for WooCommerce plugin is vulnerable to Unauthenticated Arbitrary Shortcode Execution in versions up to, and including, 1.4.1.8. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on what other plugins are installed and what shortcode functionality they provide."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:51:09.984Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/4c1d49d0-c9aa-401c-80b9-d4df7fe97691?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/woocs.php#L4154"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3072307%40woocommerce-currency-switcher%2Ftrunk\u0026old=3049249%40woocommerce-currency-switcher%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2024-04-24T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "FOX \u2013 Currency Switcher Professional for WooCommerce \u003c= 1.4.1.8 - Unauthenticated Arbitrary Shortcode Execution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2024-3734",
        "datePublished": "2024-05-02T16:52:03.882Z",
        "dateReserved": "2024-04-12T19:05:30.362Z",
        "dateUpdated": "2026-04-08T16:51:09.984Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-6556 (GCVE-0-2023-6556)

    Vulnerability from cvelistv5 – Published: 2024-01-11 08:32 – Updated: 2026-04-08 17:06
    VLAI
    Title
    FOX – Currency Switcher Professional for WooCommerce <= 1.4.1.6 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting
    Summary
    The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via currency options in all versions up to, and including, 1.4.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Lucio Sá
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T08:35:13.750Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8cb37019-33f6-4f72-adfc-befbfbf69e47?source=cve"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/smart-designer.php#L21"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/smart-designer.php#L120"
              },
              {
                "tags": [
                  "x_transferred"
                ],
                "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3012135%40woocommerce-currency-switcher\u0026new=3012135%40woocommerce-currency-switcher\u0026sfp_email=\u0026sfph_mail="
              }
            ],
            "title": "CVE Program Container"
          },
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2023-6556",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-01-18T01:28:46.604334Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-06-17T21:09:13.286Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "FOX \u2013 Currency Switcher Professional for WooCommerce",
              "vendor": "realmag777",
              "versions": [
                {
                  "lessThanOrEqual": "1.4.1.6",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lucio S\u00e1"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The FOX \u2013 Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via currency options in all versions up to, and including, 1.4.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:06:05.531Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8cb37019-33f6-4f72-adfc-befbfbf69e47?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/smart-designer.php#L21"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/smart-designer.php#L120"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3012135%40woocommerce-currency-switcher\u0026new=3012135%40woocommerce-currency-switcher\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2023-12-23T00:00:00.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "FOX \u2013 Currency Switcher Professional for WooCommerce \u003c= 1.4.1.6 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2023-6556",
        "datePublished": "2024-01-11T08:32:45.695Z",
        "dateReserved": "2023-12-06T14:39:21.279Z",
        "dateUpdated": "2026-04-08T17:06:05.531Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2023-49834 (GCVE-0-2023-49834)

    Vulnerability from cvelistv5 – Published: 2023-12-17 10:38 – Updated: 2026-04-28 16:08
    VLAI
    Title
    WordPress WOOCS – WooCommerce Currency Switcher Plugin <= 1.4.1.4 is vulnerable to Cross Site Request Forgery (CSRF)
    Summary
    Cross-Site Request Forgery (CSRF) vulnerability in realmag777 FOX – Currency Switcher Professional for WooCommerce.This issue affects FOX – Currency Switcher Professional for WooCommerce: from n/a through 1.4.1.4.
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    References
    Impacted products
    Credits
    Brandon Roldan (Patchstack Alliance)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "providerMetadata": {
              "dateUpdated": "2024-08-02T22:01:26.093Z",
              "orgId": "af854a3a-2127-422b-91ae-364da2661108",
              "shortName": "CVE"
            },
            "references": [
              {
                "tags": [
                  "vdb-entry",
                  "x_transferred"
                ],
                "url": "https://patchstack.com/database/vulnerability/woocommerce-currency-switcher/wordpress-fox-currency-switcher-professional-for-woocommerce-plugin-1-4-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
              }
            ],
            "title": "CVE Program Container"
          }
        ],
        "cna": {
          "affected": [
            {
              "collectionURL": "https://wordpress.org/plugins",
              "defaultStatus": "unaffected",
              "packageName": "woocommerce-currency-switcher",
              "product": "FOX \u2013 Currency Switcher Professional for WooCommerce",
              "vendor": "realmag777",
              "versions": [
                {
                  "changes": [
                    {
                      "at": "1.4.1.5",
                      "status": "unaffected"
                    }
                  ],
                  "lessThanOrEqual": "1.4.1.4",
                  "status": "affected",
                  "version": "n/a",
                  "versionType": "custom"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "user": "00000000-0000-4000-9000-000000000000",
              "value": "Brandon Roldan (Patchstack Alliance)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Cross-Site Request Forgery (CSRF) vulnerability in realmag777 FOX \u2013 Currency Switcher Professional for WooCommerce.\u003cp\u003eThis issue affects FOX \u2013 Currency Switcher Professional for WooCommerce: from n/a through 1.4.1.4.\u003c/p\u003e"
                }
              ],
              "value": "Cross-Site Request Forgery (CSRF) vulnerability in realmag777 FOX \u2013 Currency Switcher Professional for WooCommerce.This issue affects FOX \u2013 Currency Switcher Professional for WooCommerce: from n/a through 1.4.1.4."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "LOW",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 5.4,
                "baseSeverity": "MEDIUM",
                "confidentialityImpact": "NONE",
                "integrityImpact": "LOW",
                "privilegesRequired": "NONE",
                "scope": "UNCHANGED",
                "userInteraction": "REQUIRED",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L",
                "version": "3.1"
              },
              "format": "CVSS",
              "scenarios": [
                {
                  "lang": "en",
                  "value": "GENERAL"
                }
              ]
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-28T16:08:58.315Z",
            "orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
            "shortName": "Patchstack"
          },
          "references": [
            {
              "tags": [
                "vdb-entry"
              ],
              "url": "https://patchstack.com/database/vulnerability/woocommerce-currency-switcher/wordpress-fox-currency-switcher-professional-for-woocommerce-plugin-1-4-1-4-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
            }
          ],
          "solutions": [
            {
              "lang": "en",
              "supportingMedia": [
                {
                  "base64": false,
                  "type": "text/html",
                  "value": "Update to\u00a01.4.1.5 or a higher version."
                }
              ],
              "value": "Update to\u00a01.4.1.5 or a higher version."
            }
          ],
          "source": {
            "discovery": "EXTERNAL"
          },
          "title": "WordPress WOOCS \u2013 WooCommerce Currency Switcher Plugin \u003c= 1.4.1.4 is vulnerable to Cross Site Request Forgery (CSRF)",
          "x_generator": {
            "engine": "Vulnogram 0.1.0-dev"
          }
        }
      },
      "cveMetadata": {
        "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
        "assignerShortName": "Patchstack",
        "cveId": "CVE-2023-49834",
        "datePublished": "2023-12-17T10:38:49.072Z",
        "dateReserved": "2023-11-30T17:12:29.821Z",
        "dateUpdated": "2026-04-28T16:08:58.315Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }