FOX – Currency Switcher Professional for WooCommerce <= 1.4.6 - Authenticated (Subscriber+) Authorization Bypass via User-Controlled Key to 'wooc_order_user_roles' Parameter
Description
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the `get_value()` function in `classes/fixed/fixed_user_role.php` trusting the attacker-controlled `$_REQUEST['wooc_order_user_roles']` parameter to determine the user's role context for role-based price resolution without any validation, allowing it to override the legitimate role data derived from the authenticated user's session object via `$user->roles`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate higher-privileged roles — such as wholesale customer or administrator — and obtain discounted or otherwise restricted pricing that should not be available to their actual role. This vulnerability only has practical impact when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:NTechnical Details
<=1.4.6Source Code
WordPress.org SVNPatched version not available.
This research plan outlines the technical steps to exploit CVE-2026-9241, an authorization bypass in the FOX – Currency Switcher Professional for WooCommerce plugin. ## 1. Vulnerability Summary The vulnerability exists in the `get_value()` function within `classes/fixed/fixed_user_role.php`. This f…
Show full research plan
This research plan outlines the technical steps to exploit CVE-2026-9241, an authorization bypass in the FOX – Currency Switcher Professional for WooCommerce plugin.
1. Vulnerability Summary
The vulnerability exists in the get_value() function within classes/fixed/fixed_user_role.php. This function is responsible for determining the correct product price based on a user's role when the "Fixed User Role Prices" feature is enabled.
The code incorrectly prioritizes the value of $_REQUEST['wooc_order_user_roles'] over the legitimate roles derived from the authenticated $user->roles object. Because $_REQUEST parameters are user-controllable, an authenticated user (Subscriber level or higher) can supply an arbitrary role name in the request. The plugin then uses this supplied role to fetch prices, allowing the attacker to access discounts or pricing tiers reserved for higher-privileged roles like "Administrator" or "Wholesale Customer."
2. Attack Vector Analysis
- Endpoint: Any page where product prices are rendered (Product single page, Shop page) or AJAX endpoints that recalculate prices (e.g.,
woocs_get_custom_price). - Vulnerable Parameter:
wooc_order_user_roles - Authentication Level: Authenticated (Subscriber+).
- Precondition:
- The "Fixed user-role pricing" feature must be enabled in the FOX Currency Switcher settings.
- At least one product must have a "Fixed role price" defined for a role the attacker does not possess (e.g., a special price for
administrator).
3. Code Flow
- A request is made to a product page or a pricing filter is triggered.
- WooCommerce calls price filters, which are hooked by the WOOCS plugin.
- The plugin's logic for fixed pricing is invoked, specifically the
get_value()method inWOOCS_FIXED_USER_ROLE(located inclasses/fixed/fixed_user_role.php). - Inside
get_value():- The code checks if
$_REQUEST['wooc_order_user_roles']is set. - If set, it assigns this value to the variable used for role-based lookup.
- If not set, it defaults to the current authenticated user's roles via
wp_get_current_user()->roles.
- The code checks if
- The plugin looks up the product's meta data for the specified role.
- The filtered (maliciously chosen) price is returned and displayed to the user.
4. Nonce Acquisition Strategy
While this vulnerability can typically be exploited via a simple GET request to a product page (which does not require a nonce), some pricing updates occur via AJAX.
- Identify Script Localization: The plugin typically localizes data into a JavaScript object named
woocs_varsorwoocs_current_values. - Shortcode Creation: To ensure scripts are loaded, create a post with the main currency switcher shortcode:
wp post create --post_type=page --post_status=publish --post_content='[woocs]' --post_title='WOOCS Test'
- Extraction:
- Navigate to the newly created page.
- Execute:
browser_eval("window.woocs_vars?.nonce")(inferred key name).
- Note: For the primary vector (bypassing prices on a product page), no nonce is required as it is a standard GET request.
5. Exploitation Strategy
The goal is to view a product price as a Subscriber while impersonating an Administrator to receive a discount.
Step 1: Confirm Normal Pricing
As the Subscriber user, visit a product page and record the price.
- Request:
GET /product/test-product/ - Headers: Authenticated Subscriber cookies.
Step 2: Impersonate Administrator Role
Send the same request but append the wooc_order_user_roles parameter.
- Request:
GET /product/test-product/?wooc_order_user_roles=administrator - Headers: Authenticated Subscriber cookies.
- Expected Result: The price displayed in the HTML should reflect the price configured for the "Administrator" role.
Step 3: Impersonate via POST (Alternative)
If the site uses AJAX for price updates:
- Request:
POST /wp-admin/admin-ajax.php - Body:
action=woocs_get_custom_price&product_id=[ID]&wooc_order_user_roles=administrator - Content-Type:
application/x-www-form-urlencoded
6. Test Data Setup
- Install/Enable Plugin: Ensure
woocommerceandwoocommerce-currency-switcherare active. - Enable Feature:
- Navigate to WooCommerce > Settings > Currency > Options.
- Enable "Is fixed role allowed" (or similar "Fixed user-role pricing" setting).
- Configure Pricing:
- Create a product (ID e.g., 123) with a regular price of
$100. - In the product's "Currency Switcher" or "Fixed Role Prices" tab, set the price for the administrator role to
$10.
- Create a product (ID e.g., 123) with a regular price of
- Create Attacker:
wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
7. Expected Results
- Normal Subscriber View: The product price shows as
$100. - Exploited View: When the request includes
?wooc_order_user_roles=administrator, the price shows as$10. - Response Content: The HTML source or AJAX JSON response will contain the lower price value despite the user only having Subscriber permissions.
8. Verification Steps
- Check Output: Verify the price difference using the
http_requesttool by searching for the price string in the body. - Verify via CLI: Use
wp evalto check the price resolution logic if possible, but the primary verification is the visual/HTML price change.# Verification of product meta to ensure the test was valid wp post generate --post_type=product --post_title="Vuln Product" wp post meta get [ID] _woocs_regular_price_administrator
9. Alternative Approaches
If the administrator role does not have a configured price, try other common WooCommerce roles that might have discounts:
wholesalewholesale_customershop_managereditor
If the price does not change on the product page, check the Cart Page after adding the item to the cart with the parameter appended:
GET /cart/?wooc_order_user_roles=administrator
The session-based pricing might trigger during the cart totals calculation.
Summary
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to an authorization bypass in versions up to 1.4.6. The get_value() function in classes/fixed/fixed_user_role.php incorrectly prioritizes the 'wooc_order_user_roles' request parameter over the user's actual roles when resolving role-based prices. This allows authenticated users with Subscriber-level access to impersonate privileged roles like 'administrator' to obtain unauthorized discounts.
Exploit Outline
To exploit this vulnerability, an attacker must be authenticated with at least Subscriber-level permissions. The attacker identifies a target product that has 'Fixed user-role pricing' configured for a privileged role (such as 'administrator' or 'wholesale_customer'). By appending the 'wooc_order_user_roles' parameter to a GET request for a product page (e.g., /product/example-item/?wooc_order_user_roles=administrator) or including it in an AJAX request for price calculation, the attacker forces the plugin to return the lower price tier assigned to the specified role regardless of their actual permissions.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.