FOX Currency Switcher Professional Authenticated Authorization Bypass (CVE-2026-9241)

Vulnerability Overview Vulnerability Name: FOX – Currency Switcher Professional for WooCommerce <= 1.4.6 - Authenticated (Subscriber+) Authorization Bypass via User-Controlled Key to 'wooc_order_user_roles' Parameter CVE ID: CVE-2026-9241 CVSS Score: 4.3 (Medium) Publication Date: May 27, 2026 Last Updated: May 28, 2026 Researcher: Long Lagon Impact Scope Software Type: Plugin Software Name: woocommerce-currency-switcher Affected Versions: <= 1.4.6 Fixed Version: 1.4.7 Remediation Remediation Advice: Upgrade to version 1.4.7 or a later patched version. Vulnerability Description This vulnerability allows authenticated users (Subscriber level and above) to bypass authorization checks by manipulating the 'wooc_order_user_roles' parameter, thereby gaining access to functionalities reserved for higher-privilege roles. Specifically, an attacker can exploit this flaw to perform actions typically restricted to higher-privilege roles, such as obtaining discounted prices or other restricted pricing information, while operating under a lower-privilege role (e.g., Subscriber). References plugins.trac.wordpress.org Additional Information Recently Discovered Vulnerabilities: - FOX – Currency Switcher Professional for WooCommerce <= 1.4.5 - Missing Authorization to Authenticated (Contributor+) Configuration Deletion - FOX <= 1.4.5 - Missing Authorization - FOX <= 1.4.5 - Authenticated (Shop manager+) SQL Injection - The FOX – Currency Switcher Professional for WooCommerce <= 1.4.2.2 - Unauthenticated Arbitrary Shortcode Execution - FOX – Currency Switcher Professional for WooCommerce <= 1.4.2.1 - Unauthenticated Arbitrary Shortcode Execution - WOOC5 – WooCommerce Currency Switcher <= 1.4.2 - Missing Authorization - FOX – Currency Switcher Professional for WooCommerce <= 1.4.1.8 - Unauthenticated Arbitrary Shortcode Execution - WOOC5 – WooCommerce Currency Switcher <= 1.4.1.7 - Cross-Site Request Forgery - FOX – Currency Switcher Professional for WooCommerce <= 1.4.1.6 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scripting - WOOC5 – WooCommerce Currency Switcher <= 1.4.1.4 - Cross-Site Request Forgery via delete_profiles_data Summary This vulnerability primarily affects the FOX – Currency Switcher Professional for WooCommerce plugin versions <= 1.4.6, enabling privilege escalation through manipulation of a specific parameter. Users are advised to upgrade to version 1.4.7 or higher as soon as possible to mitigate this issue.

Goal Reached Thanks to every supporter — we hit 100%!

FOX Currency Switcher Professional Authenticated Authorization Bypass (CVE-2026-9241)

More from this source