FOX Currency Switcher Professional
Moderate fix1 remedy
cpe:2.3:a:pluginus:fox_-_currency_switcher_professional_for_woocommerce:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 1.4.5
FOX Currency Switcher Professional for WooCommerce Missing Authorization Vulnerability Allowing Configuration Deletion
Vulnerability
Patched
A vulnerability exists in the FOX – Currency Switcher Professional for WooCommerce plugin for WordPress, in all versions through 1.4.5. The issue arises from a missing capability check on the 'admin_head' function, allowing authenticated attackers with Contributor-level access and above to delete the entire multi-currency configuration. This can be done by visiting any wp-admin page with the 'woocs_reset' parameter appended. The absence of nonce verification also makes this vulnerability exploitable via Cross-Site Request Forgery (CSRF) against any administrator. Additionally, if a site allows Subscriber access to wp-admin pages, this vulnerability could be exploited by users with Subscriber-level access.
Impact
Exploitation of this vulnerability allows for unauthorized deletion of the multi-currency configuration, potentially disrupting e-commerce operations that rely on currency management.
Remediation
Users are advised to update the plugin to version 1.4.6 or a newer patched version.
Added: May 15, 2026, 7:20 AM
Updated: May 15, 2026, 7:20 AM
Vulnerability Rating
Custom Algorithm
spread
1.0impact
0.6exploitability
6.1remediation
7.7relevance
8.4threat
3.2urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.