Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 FOX woocommerce-currency-switcher allows Blind SQL Injection.This issue affects FOX: from n/a through <= 1.4.5.
Published: 2026-04-08
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection allowing database compromise
Action: Apply Patch
AI Analysis

Impact

The RealMag777 FOX woocommerce‑currency‑switcher plugin contains a flaw where user input is not properly sanitized before inclusion in an SQL query, creating a blind SQL injection vulnerability. The flaw enables an attacker to send specially crafted requests to the plugin’s processing endpoint and read or modify data stored in the WordPress database. The attack vector is inferred to be remote, via the web interface that the plugin exposes.

Affected Systems

All WordPress installations that use the FOX plugin version 1.4.5 or older are affected. The vulnerability is present in every release from the initial build through version 1.4.5, regardless of earlier or later minor releases within that range.

Risk and Exploitability

The CVSS score of 7.6 indicates a high severity flaw, while the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in the CISA KEV catalog. Exploitation does not require elevated privileges on the host; an attacker only needs the ability to send crafted HTTP requests to the vulnerable plugin endpoint. Successful exploitation could allow unauthorized reading or alteration of WordPress database contents.

Generated by OpenCVE AI on April 10, 2026 at 20:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the FOX plugin to a version newer than 1.4.5 as soon as a patch is available
  • If a patch is not yet available, disable or uninstall the plugin until remediation is possible
  • Verify that the plugin’s query handling no longer incorporates unsanitized user input
  • Implement a web application firewall rule to block suspicious SQL patterns targeting the plugin endpoint
  • Review database logs for anomalous queries that may indicate prior exploitation

Generated by OpenCVE AI on April 10, 2026 at 20:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
First Time appeared Realmag777
Realmag777 fox
Wordpress
Wordpress wordpress
Vendors & Products Realmag777
Realmag777 fox
Wordpress
Wordpress wordpress

Wed, 08 Apr 2026 08:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 FOX woocommerce-currency-switcher allows Blind SQL Injection.This issue affects FOX: from n/a through <= 1.4.5.
Title WordPress FOX plugin <= 1.4.5 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Realmag777 Fox
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:52:01.939Z

Reserved: 2026-04-07T10:47:43.843Z

Link: CVE-2026-39497

cve-icon Vulnrichment

Updated: 2026-04-10T18:06:04.356Z

cve-icon NVD

Status : Deferred

Published: 2026-04-08T09:16:24.090

Modified: 2026-04-24T18:08:35.440

Link: CVE-2026-39497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-13T14:25:33Z

Weaknesses