CVE-2026-4094

realmag777 · FOX – Currency Switcher Professional for WooCommerce

The FOX – Currency Switcher plugin for WordPress is vulnerable to unauthorized data loss due to a missing capability check on the 'admin_head' function.

Executive summary

A missing capability check in the FOX – Currency Switcher Professional for WooCommerce plugin allows authenticated users to trigger unauthorized data loss.

Vulnerability

The plugin fails to perform an adequate authorization check (CWE-862) on the 'admin_head' function. This allows an authenticated user, even with low privileges, to access administrative functions and perform unauthorized actions, such as data deletion.

Business impact

This vulnerability is rated at 8.1 (High) and poses a significant risk to the availability and integrity of the e-commerce store. An attacker could intentionally trigger data loss, resulting in potential downtime, loss of sales, and damage to the store's reputation.

Remediation

Immediate Action: Update the "FOX – Currency Switcher Professional for WooCommerce" plugin to version 1.4.6 or later immediately.

Proactive Monitoring: Review administrative audit logs for suspicious activity or unexpected changes initiated by low-privileged user accounts.

Compensating Controls: Use a Web Application Firewall (WAF) to block unauthorized requests targeting the plugin's administrative endpoints if an immediate update is not feasible.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Given the potential for data loss, site administrators must update the FOX – Currency Switcher plugin to the latest version as a matter of urgency. Additionally, review all current user roles and capabilities to ensure the principle of least privilege is strictly enforced across the WordPress installation.