Description
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the `get_value()` function in `classes/fixed/fixed_user_role.php` trusting the attacker-controlled `$_REQUEST['wooc_order_user_roles']` parameter to determine the user's role context for role-based price resolution without any validation, allowing it to override the legitimate role data derived from the authenticated user's session object via `$user->roles`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate higher-privileged roles — such as wholesale customer or administrator — and obtain discounted or otherwise restricted pricing that should not be available to their actual role. This vulnerability only has practical impact when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured.
Published: 2026-05-28
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The FOX – Currency Switcher Professional for WooCommerce plugin is vulnerable to an authorization bypass that allows an authenticated user with Subscriber or higher access to manipulate the `wooc_order_user_roles` request parameter. The plugin’s `get_value()` function trusts this user‑controlled key without validation, letting the attacker override the role information normally derived from the session. As a result, an attacker can elevate privileges to roles such as wholesale customer or administrator and access pricing that is reserved for those roles. The vulnerability only affects configurations where the fixed user‑role pricing feature is enabled and at least one product has a privileged‑role price.

Affected Systems

realmag777’s FOX – Currency Switcher Professional for WooCommerce plugin for WordPress, versions up to and including 1.4.6.

Risk and Exploitability

The risk is moderate, with a CVSS score of 4.3. Because the vulnerability requires an authenticated user, the attack surface is limited to legitimate users with Subscriber access or higher. The EPSS score is not available, but on the basis that the flaw affects only a specific plugin module and no broader codebase, the likelihood of widespread exploitation is low. The attacker would craft an HTTP request containing the `wooc_order_user_roles` parameter to override the internal role calculation. Since there is no existing CISA KEV listing, the vulnerability is not known to have been exploited in the wild.

Generated by OpenCVE AI on May 28, 2026 at 05:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the FOX – Currency Switcher plugin to version 1.4.7 or newer, which removes the vulnerable code path.
  • If an immediate update is not possible, disable the fixed user‑role pricing feature in the plugin settings to eliminate the affected functionality.
  • Restrict access to the `wooc_order_user_roles` parameter by ensuring only administrators can send that value, for example by filtering the request or configuring WooCommerce to block the parameter for Subscriber‑level users.

Generated by OpenCVE AI on May 28, 2026 at 05:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 12:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 05:45:00 +0000

Type Values Removed Values Added
First Time appeared Realmag777
Realmag777 fox – Currency Switcher Professional For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Realmag777
Realmag777 fox – Currency Switcher Professional For Woocommerce
Wordpress
Wordpress wordpress

Thu, 28 May 2026 04:45:00 +0000

Type Values Removed Values Added
Description The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the `get_value()` function in `classes/fixed/fixed_user_role.php` trusting the attacker-controlled `$_REQUEST['wooc_order_user_roles']` parameter to determine the user's role context for role-based price resolution without any validation, allowing it to override the legitimate role data derived from the authenticated user's session object via `$user->roles`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate higher-privileged roles — such as wholesale customer or administrator — and obtain discounted or otherwise restricted pricing that should not be available to their actual role. This vulnerability only has practical impact when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured.
Title FOX – Currency Switcher Professional for WooCommerce <= 1.4.6 - Authenticated (Subscriber+) Authorization Bypass via User-Controlled Key to 'wooc_order_user_roles' Parameter
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Realmag777 Fox – Currency Switcher Professional For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-28T10:37:45.822Z

Reserved: 2026-05-21T18:57:33.435Z

Link: CVE-2026-9241

cve-icon Vulnrichment

Updated: 2026-05-28T10:37:40.629Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T05:16:39.600

Modified: 2026-05-28T13:45:25.260

Link: CVE-2026-9241

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T05:30:06Z

Weaknesses