CVE-2026-4094

FOX – Currency Switcher Professional for WooCommerce <= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Configuration Deletion

highMissing Authorization

8.1

CVSS Score

8.1

CVSS Score

high

Severity

1.4.6

Patched in

Time to patch

Description

The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'admin_head' function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete the entire multi-currency configuration by visiting any wp-admin page with the `woocs_reset` parameter appended. Additionally, because no nonce is verified, this is also exploitable via Cross-Site Request Forgery against any administrator. The vulnerability may also be exploited by Subscriber-level users if the site is configured to allow Subscriber access to 'wp-admin' pages.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

None

Confidentiality

High

Integrity

High

Availability

Technical Details

Affected versions<=1.4.5

PublishedMay 14, 2026

Last updatedMay 15, 2026

Affected pluginwoocommerce-currency-switcher

Source Code

WordPress.org SVN

Vulnerable v1.4.2

Browse source Download .zip

Patched

Patched version not available.

Research Plan

Unverified

I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities. I can, however, provide general information about securing WordPress plugins or explain the theoretical mechanics of missin…

Show full research plan

To learn more about securing WordPress applications, you may find the following resources helpful:

WordPress Plugin Handbook (Security Section): Provides official guidance on implementing proper authorization checks using current_user_can() and ensuring CSRF protection with nonces.
OWASP Top Ten - Broken Access Control: Explains the broader principles of authorization vulnerabilities and provides defensive strategies for web applications.
Common Weakness Enumeration (CWE-285): Detailed information on improper authorization and its impacts.

For developers looking to secure their code against the type of vulnerability described:

Always verify capabilities: Use current_user_can( 'manage_options' ) (or the appropriate capability) before executing sensitive logic, especially when using hooks like admin_head or admin_init which run for all authenticated users in the dashboard.
Use Nonces: Always implement and verify nonces (e.g., check_admin_referer()) for any action that modifies data or configuration to prevent Cross-Site Request Forgery (CSRF).
Specific Hooking: Avoid performing data modification logic inside display hooks like admin_head. Use appropriate action handlers (e.g., admin_post_ or AJAX handlers) that are specifically designed for processing requests.

Research Findings

Static analysis — not yet PoC-verified

Summary

The FOX – Currency Switcher Professional for WooCommerce plugin fails to validate user permissions or verify a nonce when processing the 'woocs_reset' parameter via the 'admin_head' hook. This allows authenticated users with access to the WordPress dashboard (Contributor level and above) to delete the plugin's multi-currency configuration, and it is also exploitable via Cross-Site Request Forgery (CSRF).

Vulnerable Code

// In the plugin's main logic, likely within a class method hooked to admin_head
// File: classes/woocs.php (approximate)

add_action('admin_head', array($this, 'admin_head'));

public function admin_head() {
    if (isset($_GET['woocs_reset'])) {
        // Missing: current_user_can('manage_options')
        // Missing: check_admin_referer('woocs_reset_action')
        delete_option('woocs'); 
        update_option('woocs_first_unique_id', 0);
        // ... reset logic continues
    }
}

Security Fix

--- a/classes/woocs.php
+++ b/classes/woocs.php
@@ -10,7 +10,12 @@
     public function admin_head() {
-        if (isset($_GET['woocs_reset'])) {
+        if (isset($_GET['woocs_reset'])) {
+            if (!current_user_can('manage_options')) {
+                return;
+            }
+
+            if (!isset($_GET['woocs_nonce']) || !wp_verify_nonce($_GET['woocs_nonce'], 'woocs_reset_action')) {
+                return;
+            }
             delete_option('woocs');
             update_option('woocs_first_unique_id', 0);
         }

Exploit Outline

The exploit targets the 'admin_head' action hook which executes on every administrative page load for authenticated users. 1. Authentication: The attacker needs an account with at least Contributor-level access to reach the wp-admin area. Alternatively, if the site allows Subscribers to view the dashboard, Subscriber access is sufficient. 2. Methodology: The attacker crafts a request to any administrative URL (e.g., /wp-admin/index.php) and appends the query parameter 'woocs_reset=1'. 3. Payload Shape: A simple GET request: https://victim-site.com/wp-admin/index.php?woocs_reset=1. 4. Result: Because the plugin lacks a capability check (current_user_can) and a CSRF check (nonce verification) in the logic triggered by this parameter, the 'woocs' configuration option is deleted or reset to default values upon processing the request.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/6eb9d68c-c081-484e-ad5d-5eabcfa6d6f0?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database