Description
The The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.0.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Published: 2025-03-11
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Shortcode Execution
Action: Immediate Patch
AI Analysis

Impact

The WPCS – WordPress Currency Switcher Professional plugin processes user input without proper validation before invoking WordPress’s do_shortcode function, allowing any supplied text to be executed as a shortcode. Because this check is performed for unauthenticated users, an attacker can supply arbitrary shortcode content to the site. The flaw provides direct executable shortcode capability.

Affected Systems

This issue affects WordPress sites that have installed the realmag777 WPCS – WordPress Currency Switcher Professional plugin in any released version up to and including 1.2.0.4. The plugin is typically situated in the WordPress plugins directory and its shortcode handling is triggered during page rendering, widget updates, or other content processing.

Risk and Exploitability

The vulnerability is given a CVSS score of 7.3, indicating a moderate‑to‑high severity. The EPSS probability is reported as less than 1 %, suggesting that exploitation is currently uncommon but not ruled out. The issue is not listed in the CISA KEV catalog. An unauthenticated user can supply the malicious content from any public‑facing page or widget that accepts shortcode input, requiring no special privileges or pre‑conditions.

Generated by OpenCVE AI on April 21, 2026 at 22:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WPCS – WordPress Currency Switcher Professional plugin to a version newer than 1.2.0.4 where the unchecked shortcode execution has been fixed.
  • If a plugin update is not immediately possible, disable or remove the plugin from the WordPress installation to eliminate the risk of arbitrary shortcode execution.
  • Remove any existing arbitrary shortcodes from the site’s content or widget configurations, and apply a shortcode restriction or whitelist if the plugin supports it to prevent future insertion of unvalidated shortcodes.

Generated by OpenCVE AI on April 21, 2026 at 22:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-7525 The The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.0.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
History

Fri, 11 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00208}

 epss

{'score': 0.00307}

Tue, 11 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 11 Mar 2025 03:30:00 +0000

Type Values Removed Values Added
Description The The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 1.2.0.4. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
Title WPCS – WordPress Currency Switcher Professional <= 1.2.0.4 - Unauthenticated Arbitrary Shortcode Execution
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:18:33.909Z

Reserved: 2025-03-10T14:31:22.621Z

Link: CVE-2025-2169

cve-icon Vulnrichment

Updated: 2025-03-11T13:50:30.108Z

cve-icon NVD

Status : Deferred

Published: 2025-03-11T04:15:25.330

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-2169

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T22:15:45Z

Weaknesses