CVE-2026-4094
realmag777 · FOX – Currency Switcher Professional for WooCommerce
The FOX – Currency Switcher plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'admin_head' function.
Executive summary
A missing capability check in the FOX – Currency Switcher Professional for WooCommerce plugin allows authenticated users to trigger unauthorized data loss.
Vulnerability
The plugin fails to perform an adequate authorization check (CWE-862) on the 'admin_head' function. This allows an authenticated user, even with low privileges, to access administrative functions and perform unauthorized actions, such as data deletion.
Business impact
This vulnerability is rated at 8.1 (High) and poses a significant risk to the availability and integrity of the e-commerce store. An attacker could intentionally trigger data loss, resulting in potential downtime, loss of sales, and damage to the store's reputation.
Remediation
Immediate Action: Update the "FOX – Currency Switcher Professional for WooCommerce" plugin to version 1.4.6 or later immediately.
Proactive Monitoring: Review administrative audit logs for suspicious activity or unexpected changes initiated by low-privileged user accounts.
Compensating Controls: Use a Web Application Firewall (WAF) to block unauthorized requests targeting the plugin's administrative endpoints if an immediate update is not feasible.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Given the potential for data loss, site administrators must update the FOX – Currency Switcher plugin to the latest version as a matter of urgency. Additionally, review all current user roles and capabilities to ensure the principle of least privilege is strictly enforced across the WordPress installation.