Description
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'admin_head' function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete the entire multi-currency configuration by visiting any wp-admin page with the `woocs_reset` parameter appended. Additionally, because no nonce is verified, this is also exploitable via Cross-Site Request Forgery against any administrator. The vulnerability may also be exploited by Subscriber-level users if the site is configured to allow Subscriber access to 'wp-admin' pages.
Published: 2026-05-15
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The FOX – Currency Switcher Professional for WooCommerce plugin contains a missing capability check on the admin_head function, a Missing Authorization flaw (CWE-862), allowing authenticated users with Contributor level or higher to delete the entire multi‑currency configuration. Because the code does not validate a nonce, the mechanism can be invoked via Cross‑Site Request Forgery against administrators. If the site permits Subscriber access to wp‑admin pages, even lower‑privileged users could exploit the flaw. The result is loss of configuration data and potential service interruption for sites relying on the plugin’s currency settings.

Affected Systems

All installations of the FOX – Currency Switcher Professional for WooCommerce plugin running version 1.4.5 or earlier on WordPress sites are affected. The vendor is Realmag777.

Risk and Exploitability

The vulnerability has a CVSS score of 8.1, indicating high severity. EPSS data is not available, and the issue is not listed in the CISA KEV catalog. The attack path requires authenticated access to the wp‑admin area; an attacker with Contributor privileges can trigger the reset by adding the woocs_reset parameter to any admin URL, or an admin can be victimized via CSRF. The potential impact is data loss and service disruption. Given the high score and the need for user authentication, the risk is considerable for sites where contributors or subscribers have admin‑area access.

Generated by OpenCVE AI on May 15, 2026 at 09:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of FOX – Currency Switcher Professional for WooCommerce that includes the missing capability check and nonce validation.
  • If upgrading is not immediately possible, temporarily modify the plugin’s core file to remove or comment out the woocs_reset handler, or apply a custom patch that restores a capability check and nonce verification before executing the reset.
  • Reconfigure the WordPress role settings to ensure that only administrators can access wp‑admin pages, thereby preventing contributors or subscribers from triggering the reset action.

Generated by OpenCVE AI on May 15, 2026 at 09:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 12:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Realmag777
Realmag777 fox – Currency Switcher Professional For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Realmag777
Realmag777 fox – Currency Switcher Professional For Woocommerce
Wordpress
Wordpress wordpress

Fri, 15 May 2026 07:00:00 +0000

Type Values Removed Values Added
Description The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'admin_head' function in all versions up to, and including, 1.4.5. This makes it possible for authenticated attackers, with Contributor-level access and above, to delete the entire multi-currency configuration by visiting any wp-admin page with the `woocs_reset` parameter appended. Additionally, because no nonce is verified, this is also exploitable via Cross-Site Request Forgery against any administrator. The vulnerability may also be exploited by Subscriber-level users if the site is configured to allow Subscriber access to 'wp-admin' pages.
Title FOX – Currency Switcher Professional for WooCommerce <= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Configuration Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

Realmag777 Fox – Currency Switcher Professional For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-15T11:25:58.454Z

Reserved: 2026-03-12T22:46:10.355Z

Link: CVE-2026-4094

cve-icon Vulnrichment

Updated: 2026-05-15T11:25:53.446Z

cve-icon NVD

Status : Deferred

Published: 2026-05-15T07:16:20.090

Modified: 2026-05-15T14:09:15.910

Link: CVE-2026-4094

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T11:20:52Z

Weaknesses