FOX – Currency Switcher Professional for WooCommerce Authorization Bypass Vulnerability

A vulnerability exists in the FOX – Currency Switcher Professional for WooCommerce plugin for WordPress, specifically in versions through 1.4.6. The issue arises from the `get_value()` function in `classes/fixed/fixed_user_role.php`, which improperly trusts the `$_REQUEST['wooc_order_user_roles']` parameter to determine user roles for pricing decisions. This lack of validation allows attackers with Subscriber-level access or higher to manipulate role data and impersonate users with greater privileges, such as wholesale customers or administrators. As a result, they can access discounted or restricted prices that should not be available to them. The vulnerability is only impactful when the fixed user-role pricing feature is active and at least one product is assigned a privileged-role price.

Impact

Exploitation of this vulnerability allows for an authorization bypass, enabling authenticated users with Subscriber-level access to impersonate higher-privileged roles and access restricted pricing.

Remediation

Users are advised to update the plugin to version 1.4.7 or a newer patched version.