[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fSl6S0093WQDkGyLRbiFv58H8cSxPwxDjuIh_v0yVBe8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-9241","fox-currency-switcher-professional-for-woocommerce-authenticated-subscriber-authorization-bypass-via-user-controlled-key","FOX – Currency Switcher Professional for WooCommerce \u003C= 1.4.6 - Authenticated (Subscriber+) Authorization Bypass via User-Controlled Key to 'wooc_order_user_roles' Parameter","The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the `get_value()` function in `classes\u002Ffixed\u002Ffixed_user_role.php` trusting the attacker-controlled `$_REQUEST['wooc_order_user_roles']` parameter to determine the user's role context for role-based price resolution without any validation, allowing it to override the legitimate role data derived from the authenticated user's session object via `$user->roles`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate higher-privileged roles — such as wholesale customer or administrator — and obtain discounted or otherwise restricted pricing that should not be available to their actual role. This vulnerability only has practical impact when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured.","woocommerce-currency-switcher",null,"\u003C=1.4.6","1.4.7","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-05-27 14:49:48","2026-05-28 03:27:27",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1c8c1fec-0e87-46f7-83c5-8f9e9aa97b4f?source=api-prod",1,[],"researched",false,3,"This research plan outlines the technical steps to exploit CVE-2026-9241, an authorization bypass in the FOX – Currency Switcher Professional for WooCommerce plugin.\n\n## 1. Vulnerability Summary\nThe vulnerability exists in the `get_value()` function within `classes\u002Ffixed\u002Ffixed_user_role.php`. This function is responsible for determining the correct product price based on a user's role when the \"Fixed User Role Prices\" feature is enabled. \n\nThe code incorrectly prioritizes the value of `$_REQUEST['wooc_order_user_roles']` over the legitimate roles derived from the authenticated `$user->roles` object. Because `$_REQUEST` parameters are user-controllable, an authenticated user (Subscriber level or higher) can supply an arbitrary role name in the request. The plugin then uses this supplied role to fetch prices, allowing the attacker to access discounts or pricing tiers reserved for higher-privileged roles like \"Administrator\" or \"Wholesale Customer.\"\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** Any page where product prices are rendered (Product single page, Shop page) or AJAX endpoints that recalculate prices (e.g., `woocs_get_custom_price`).\n*   **Vulnerable Parameter:** `wooc_order_user_roles`\n*   **Authentication Level:** Authenticated (Subscriber+).\n*   **Precondition:**\n    1.  The \"Fixed user-role pricing\" feature must be enabled in the FOX Currency Switcher settings.\n    2.  At least one product must have a \"Fixed role price\" defined for a role the attacker does not possess (e.g., a special price for `administrator`).\n\n## 3. Code Flow\n1.  A request is made to a product page or a pricing filter is triggered.\n2.  WooCommerce calls price filters, which are hooked by the WOOCS plugin.\n3.  The plugin's logic for fixed pricing is invoked, specifically the `get_value()` method in `WOOCS_FIXED_USER_ROLE` (located in `classes\u002Ffixed\u002Ffixed_user_role.php`).\n4.  Inside `get_value()`:\n    *   The code checks if `$_REQUEST['wooc_order_user_roles']` is set.\n    *   If set, it assigns this value to the variable used for role-based lookup.\n    *   If not set, it defaults to the current authenticated user's roles via `wp_get_current_user()->roles`.\n5.  The plugin looks up the product's meta data for the specified role.\n6.  The filtered (maliciously chosen) price is returned and displayed to the user.\n\n## 4. Nonce Acquisition Strategy\nWhile this vulnerability can typically be exploited via a simple GET request to a product page (which does not require a nonce), some pricing updates occur via AJAX.\n\n1.  **Identify Script Localization:** The plugin typically localizes data into a JavaScript object named `woocs_vars` or `woocs_current_values`.\n2.  **Shortcode Creation:** To ensure scripts are loaded, create a post with the main currency switcher shortcode:\n    *   `wp post create --post_type=page --post_status=publish --post_content='[woocs]' --post_title='WOOCS Test'`\n3.  **Extraction:**\n    *   Navigate to the newly created page.\n    *   Execute: `browser_eval(\"window.woocs_vars?.nonce\")` (inferred key name).\n4.  **Note:** For the primary vector (bypassing prices on a product page), **no nonce is required** as it is a standard GET request.\n\n## 5. Exploitation Strategy\nThe goal is to view a product price as a Subscriber while impersonating an Administrator to receive a discount.\n\n### Step 1: Confirm Normal Pricing\nAs the Subscriber user, visit a product page and record the price.\n*   **Request:** `GET \u002Fproduct\u002Ftest-product\u002F`\n*   **Headers:** Authenticated Subscriber cookies.\n\n### Step 2: Impersonate Administrator Role\nSend the same request but append the `wooc_order_user_roles` parameter.\n*   **Request:** `GET \u002Fproduct\u002Ftest-product\u002F?wooc_order_user_roles=administrator`\n*   **Headers:** Authenticated Subscriber cookies.\n*   **Expected Result:** The price displayed in the HTML should reflect the price configured for the \"Administrator\" role.\n\n### Step 3: Impersonate via POST (Alternative)\nIf the site uses AJAX for price updates:\n*   **Request:** `POST \u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Body:** `action=woocs_get_custom_price&product_id=[ID]&wooc_order_user_roles=administrator`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n\n## 6. Test Data Setup\n1.  **Install\u002FEnable Plugin:** Ensure `woocommerce` and `woocommerce-currency-switcher` are active.\n2.  **Enable Feature:**\n    *   Navigate to **WooCommerce > Settings > Currency > Options**.\n    *   Enable **\"Is fixed role allowed\"** (or similar \"Fixed user-role pricing\" setting).\n3.  **Configure Pricing:**\n    *   Create a product (ID e.g., 123) with a regular price of `$100`.\n    *   In the product's \"Currency Switcher\" or \"Fixed Role Prices\" tab, set the price for the **administrator** role to `$10`.\n4.  **Create Attacker:**\n    *   `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n\n## 7. Expected Results\n*   **Normal Subscriber View:** The product price shows as `$100`.\n*   **Exploited View:** When the request includes `?wooc_order_user_roles=administrator`, the price shows as `$10`.\n*   **Response Content:** The HTML source or AJAX JSON response will contain the lower price value despite the user only having Subscriber permissions.\n\n## 8. Verification Steps\n1.  **Check Output:** Verify the price difference using the `http_request` tool by searching for the price string in the body.\n2.  **Verify via CLI:** Use `wp eval` to check the price resolution logic if possible, but the primary verification is the visual\u002FHTML price change.\n    ```bash\n    # Verification of product meta to ensure the test was valid\n    wp post generate --post_type=product --post_title=\"Vuln Product\"\n    wp post meta get [ID] _woocs_regular_price_administrator\n    ```\n\n## 9. Alternative Approaches\nIf the `administrator` role does not have a configured price, try other common WooCommerce roles that might have discounts:\n*   `wholesale`\n*   `wholesale_customer`\n*   `shop_manager`\n*   `editor`\n\nIf the price does not change on the product page, check the **Cart Page** after adding the item to the cart with the parameter appended:\n*   `GET \u002Fcart\u002F?wooc_order_user_roles=administrator`\nThe session-based pricing might trigger during the cart totals calculation.","The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to an authorization bypass in versions up to 1.4.6. The get_value() function in classes\u002Ffixed\u002Ffixed_user_role.php incorrectly prioritizes the 'wooc_order_user_roles' request parameter over the user's actual roles when resolving role-based prices. This allows authenticated users with Subscriber-level access to impersonate privileged roles like 'administrator' to obtain unauthorized discounts.","To exploit this vulnerability, an attacker must be authenticated with at least Subscriber-level permissions. The attacker identifies a target product that has 'Fixed user-role pricing' configured for a privileged role (such as 'administrator' or 'wholesale_customer'). By appending the 'wooc_order_user_roles' parameter to a GET request for a product page (e.g., \u002Fproduct\u002Fexample-item\u002F?wooc_order_user_roles=administrator) or including it in an AJAX request for price calculation, the attacker forces the plugin to return the lower price tier assigned to the specified role regardless of their actual permissions.","gemini-3-flash-preview","2026-06-04 17:19:06","2026-06-04 17:19:31",{"type":32,"vulnerable_version":33,"fixed_version":9,"vulnerable_browse":34,"vulnerable_zip":35,"fixed_browse":9,"fixed_zip":9,"all_tags":36},"plugin","1.4.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-currency-switcher\u002Ftags\u002F1.4.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-currency-switcher.1.4.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-currency-switcher\u002Ftags"]