CVE-2026-9241

FOX – Currency Switcher Professional for WooCommerce <= 1.4.6 - Authenticated (Subscriber+) Authorization Bypass via User-Controlled Key to 'wooc_order_user_roles' Parameter

mediumAuthorization Bypass Through User-Controlled Key
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.4.7
Patched in
1d
Time to patch

Description

The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the `get_value()` function in `classes/fixed/fixed_user_role.php` trusting the attacker-controlled `$_REQUEST['wooc_order_user_roles']` parameter to determine the user's role context for role-based price resolution without any validation, allowing it to override the legitimate role data derived from the authenticated user's session object via `$user->roles`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate higher-privileged roles — such as wholesale customer or administrator — and obtain discounted or otherwise restricted pricing that should not be available to their actual role. This vulnerability only has practical impact when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.4.6
PublishedMay 27, 2026
Last updatedMay 28, 2026

Source Code

WordPress.org SVN
Patched

Patched version not available.

Research Plan
Unverified

This research plan outlines the technical steps to exploit CVE-2026-9241, an authorization bypass in the FOX – Currency Switcher Professional for WooCommerce plugin. ## 1. Vulnerability Summary The vulnerability exists in the `get_value()` function within `classes/fixed/fixed_user_role.php`. This f…

Show full research plan

This research plan outlines the technical steps to exploit CVE-2026-9241, an authorization bypass in the FOX – Currency Switcher Professional for WooCommerce plugin.

1. Vulnerability Summary

The vulnerability exists in the get_value() function within classes/fixed/fixed_user_role.php. This function is responsible for determining the correct product price based on a user's role when the "Fixed User Role Prices" feature is enabled.

The code incorrectly prioritizes the value of $_REQUEST['wooc_order_user_roles'] over the legitimate roles derived from the authenticated $user->roles object. Because $_REQUEST parameters are user-controllable, an authenticated user (Subscriber level or higher) can supply an arbitrary role name in the request. The plugin then uses this supplied role to fetch prices, allowing the attacker to access discounts or pricing tiers reserved for higher-privileged roles like "Administrator" or "Wholesale Customer."

2. Attack Vector Analysis

  • Endpoint: Any page where product prices are rendered (Product single page, Shop page) or AJAX endpoints that recalculate prices (e.g., woocs_get_custom_price).
  • Vulnerable Parameter: wooc_order_user_roles
  • Authentication Level: Authenticated (Subscriber+).
  • Precondition:
    1. The "Fixed user-role pricing" feature must be enabled in the FOX Currency Switcher settings.
    2. At least one product must have a "Fixed role price" defined for a role the attacker does not possess (e.g., a special price for administrator).

3. Code Flow

  1. A request is made to a product page or a pricing filter is triggered.
  2. WooCommerce calls price filters, which are hooked by the WOOCS plugin.
  3. The plugin's logic for fixed pricing is invoked, specifically the get_value() method in WOOCS_FIXED_USER_ROLE (located in classes/fixed/fixed_user_role.php).
  4. Inside get_value():
    • The code checks if $_REQUEST['wooc_order_user_roles'] is set.
    • If set, it assigns this value to the variable used for role-based lookup.
    • If not set, it defaults to the current authenticated user's roles via wp_get_current_user()->roles.
  5. The plugin looks up the product's meta data for the specified role.
  6. The filtered (maliciously chosen) price is returned and displayed to the user.

4. Nonce Acquisition Strategy

While this vulnerability can typically be exploited via a simple GET request to a product page (which does not require a nonce), some pricing updates occur via AJAX.

  1. Identify Script Localization: The plugin typically localizes data into a JavaScript object named woocs_vars or woocs_current_values.
  2. Shortcode Creation: To ensure scripts are loaded, create a post with the main currency switcher shortcode:
    • wp post create --post_type=page --post_status=publish --post_content='[woocs]' --post_title='WOOCS Test'
  3. Extraction:
    • Navigate to the newly created page.
    • Execute: browser_eval("window.woocs_vars?.nonce") (inferred key name).
  4. Note: For the primary vector (bypassing prices on a product page), no nonce is required as it is a standard GET request.

5. Exploitation Strategy

The goal is to view a product price as a Subscriber while impersonating an Administrator to receive a discount.

Step 1: Confirm Normal Pricing

As the Subscriber user, visit a product page and record the price.

  • Request: GET /product/test-product/
  • Headers: Authenticated Subscriber cookies.

Step 2: Impersonate Administrator Role

Send the same request but append the wooc_order_user_roles parameter.

  • Request: GET /product/test-product/?wooc_order_user_roles=administrator
  • Headers: Authenticated Subscriber cookies.
  • Expected Result: The price displayed in the HTML should reflect the price configured for the "Administrator" role.

Step 3: Impersonate via POST (Alternative)

If the site uses AJAX for price updates:

  • Request: POST /wp-admin/admin-ajax.php
  • Body: action=woocs_get_custom_price&product_id=[ID]&wooc_order_user_roles=administrator
  • Content-Type: application/x-www-form-urlencoded

6. Test Data Setup

  1. Install/Enable Plugin: Ensure woocommerce and woocommerce-currency-switcher are active.
  2. Enable Feature:
    • Navigate to WooCommerce > Settings > Currency > Options.
    • Enable "Is fixed role allowed" (or similar "Fixed user-role pricing" setting).
  3. Configure Pricing:
    • Create a product (ID e.g., 123) with a regular price of $100.
    • In the product's "Currency Switcher" or "Fixed Role Prices" tab, set the price for the administrator role to $10.
  4. Create Attacker:
    • wp user create attacker attacker@example.com --role=subscriber --user_pass=password123

7. Expected Results

  • Normal Subscriber View: The product price shows as $100.
  • Exploited View: When the request includes ?wooc_order_user_roles=administrator, the price shows as $10.
  • Response Content: The HTML source or AJAX JSON response will contain the lower price value despite the user only having Subscriber permissions.

8. Verification Steps

  1. Check Output: Verify the price difference using the http_request tool by searching for the price string in the body.
  2. Verify via CLI: Use wp eval to check the price resolution logic if possible, but the primary verification is the visual/HTML price change.
    # Verification of product meta to ensure the test was valid
    wp post generate --post_type=product --post_title="Vuln Product"
    wp post meta get [ID] _woocs_regular_price_administrator
    

9. Alternative Approaches

If the administrator role does not have a configured price, try other common WooCommerce roles that might have discounts:

  • wholesale
  • wholesale_customer
  • shop_manager
  • editor

If the price does not change on the product page, check the Cart Page after adding the item to the cart with the parameter appended:

  • GET /cart/?wooc_order_user_roles=administrator
    The session-based pricing might trigger during the cart totals calculation.
Research Findings
Static analysis — not yet PoC-verified

Summary

The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to an authorization bypass in versions up to 1.4.6. The get_value() function in classes/fixed/fixed_user_role.php incorrectly prioritizes the 'wooc_order_user_roles' request parameter over the user's actual roles when resolving role-based prices. This allows authenticated users with Subscriber-level access to impersonate privileged roles like 'administrator' to obtain unauthorized discounts.

Exploit Outline

To exploit this vulnerability, an attacker must be authenticated with at least Subscriber-level permissions. The attacker identifies a target product that has 'Fixed user-role pricing' configured for a privileged role (such as 'administrator' or 'wholesale_customer'). By appending the 'wooc_order_user_roles' parameter to a GET request for a product page (e.g., /product/example-item/?wooc_order_user_roles=administrator) or including it in an AJAX request for price calculation, the attacker forces the plugin to return the lower price tier assigned to the specified role regardless of their actual permissions.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.