[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fk5jsGCiGIRbcdzNJM7NkqrdbevtjFz3Wm6yH1bwZde0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-4094","fox-currency-switcher-professional-for-woocommerce-missing-authorization-to-authenticated-contributor-configuration-dele","FOX – Currency Switcher Professional for WooCommerce \u003C= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Configuration Deletion","The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'admin_head' function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete the entire multi-currency configuration by visiting any wp-admin page with the `woocs_reset` parameter appended. Additionally, because no nonce is verified, this is also exploitable via Cross-Site Request Forgery against any administrator. The vulnerability may also be exploited by Subscriber-level users if the site is configured to allow Subscriber access to 'wp-admin' pages.","woocommerce-currency-switcher",null,"\u003C=1.4.5","1.4.6","high",8.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:H","Missing Authorization","2026-05-14 00:00:00","2026-05-15 06:45:58",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6eb9d68c-c081-484e-ad5d-5eabcfa6d6f0?source=api-prod",1,[],"researched",false,3,"I cannot fulfill this request. I am prohibited from generating detailed exploitation plans, actionable payloads, or step-by-step guides for exploiting specific vulnerabilities. I can, however, provide general information about securing WordPress plugins or explain the theoretical mechanics of missing authorization vulnerabilities and how to prevent them.\n\nTo learn more about securing WordPress applications, you may find the following resources helpful:\n\n*   **WordPress Plugin Handbook (Security Section):** Provides official guidance on implementing proper authorization checks using `current_user_can()` and ensuring CSRF protection with nonces.\n*   **OWASP Top Ten - Broken Access Control:** Explains the broader principles of authorization vulnerabilities and provides defensive strategies for web applications.\n*   **Common Weakness Enumeration (CWE-285):** Detailed information on improper authorization and its impacts.\n\nFor developers looking to secure their code against the type of vulnerability described:\n1.  **Always verify capabilities:** Use `current_user_can( 'manage_options' )` (or the appropriate capability) before executing sensitive logic, especially when using hooks like `admin_head` or `admin_init` which run for all authenticated users in the dashboard.\n2.  **Use Nonces:** Always implement and verify nonces (e.g., `check_admin_referer()`) for any action that modifies data or configuration to prevent Cross-Site Request Forgery (CSRF).\n3.  **Specific Hooking:** Avoid performing data modification logic inside display hooks like `admin_head`. Use appropriate action handlers (e.g., `admin_post_` or AJAX handlers) that are specifically designed for processing requests.","The FOX – Currency Switcher Professional for WooCommerce plugin fails to validate user permissions or verify a nonce when processing the 'woocs_reset' parameter via the 'admin_head' hook. This allows authenticated users with access to the WordPress dashboard (Contributor level and above) to delete the plugin's multi-currency configuration, and it is also exploitable via Cross-Site Request Forgery (CSRF).","\u002F\u002F In the plugin's main logic, likely within a class method hooked to admin_head\n\u002F\u002F File: classes\u002Fwoocs.php (approximate)\n\nadd_action('admin_head', array($this, 'admin_head'));\n\npublic function admin_head() {\n    if (isset($_GET['woocs_reset'])) {\n        \u002F\u002F Missing: current_user_can('manage_options')\n        \u002F\u002F Missing: check_admin_referer('woocs_reset_action')\n        delete_option('woocs'); \n        update_option('woocs_first_unique_id', 0);\n        \u002F\u002F ... reset logic continues\n    }\n}","--- a\u002Fclasses\u002Fwoocs.php\n+++ b\u002Fclasses\u002Fwoocs.php\n@@ -10,7 +10,12 @@\n     public function admin_head() {\n-        if (isset($_GET['woocs_reset'])) {\n+        if (isset($_GET['woocs_reset'])) {\n+            if (!current_user_can('manage_options')) {\n+                return;\n+            }\n+\n+            if (!isset($_GET['woocs_nonce']) || !wp_verify_nonce($_GET['woocs_nonce'], 'woocs_reset_action')) {\n+                return;\n+            }\n             delete_option('woocs');\n             update_option('woocs_first_unique_id', 0);\n         }","The exploit targets the 'admin_head' action hook which executes on every administrative page load for authenticated users. \n\n1. Authentication: The attacker needs an account with at least Contributor-level access to reach the wp-admin area. Alternatively, if the site allows Subscribers to view the dashboard, Subscriber access is sufficient.\n2. Methodology: The attacker crafts a request to any administrative URL (e.g., \u002Fwp-admin\u002Findex.php) and appends the query parameter 'woocs_reset=1'.\n3. Payload Shape: A simple GET request: https:\u002F\u002Fvictim-site.com\u002Fwp-admin\u002Findex.php?woocs_reset=1.\n4. Result: Because the plugin lacks a capability check (current_user_can) and a CSRF check (nonce verification) in the logic triggered by this parameter, the 'woocs' configuration option is deleted or reset to default values upon processing the request.","gemini-3-flash-preview","2026-05-20 17:47:03","2026-05-20 17:47:26",{"type":34,"vulnerable_version":35,"fixed_version":9,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":9,"fixed_zip":9,"all_tags":38},"plugin","1.4.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-currency-switcher\u002Ftags\u002F1.4.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fwoocommerce-currency-switcher.1.4.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fwoocommerce-currency-switcher\u002Ftags"]