The Currency Switcher for WooCommerce plugin contains a CSRF vulnerability that allows an attacker to inject malicious scripts that are stored in the database. When the vulnerable settings page is accessed with a forged request, the attacker can embed JavaScript that will execute in the context of any user who subsequently views the affected page. This stored XSS is possible because the plugin does not verify the authenticity of the request before saving data, linking the flaw to CWE‑352. Without additional defenses, the injected code can steal credentials, deface the site, or redirect users to phishing domains.

PressMaximum Currency Switcher for WooCommerce plugin, versions up to 0.0.7.

The CVSS score of 7.1 indicates a high severity of the flaw. The EPSS score of <1% suggests that current exploitation activity is low, and the vulnerability is not listed in the CISA KEV catalog. However, the nature of the attack—cross‑site request forgery leading to stored XSS—means that a malicious actor could exploit it by tricking an authenticated user into visiting a crafted URL or by embedding the exploit in an external resource. The lack of a required user interaction beyond activating a form submission increases the likelihood that the flaw could be abused in compromised or shared administrative accounts.