WooCommerce — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/vendors/woocommerce/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioFri, 15 May 2026 07:16:52 +0000CVE-2026-4094: FOX – Currency Switcher Professional for WooCommerce Plugin Vulnerabilityhttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-4094-wordpress-plugin-vuln/Fri, 15 May 2026 07:16:52 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-4094-wordpress-plugin-vuln/The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to unauthorized data loss (CVE-2026-4094) due to a missing capability check, allowing authenticated attackers with Contributor-level access or higher to delete the multi-currency configuration.The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress, versions up to and including 1.4.5, contains an unauthorized data loss vulnerability tracked as CVE-2026-4094. This flaw stems from a missing capability check within the ‘admin_head’ function. Successful exploitation allows authenticated attackers with Contributor-level access and above to trigger the deletion of the entire multi-currency configuration. This is achieved by visiting any wp-admin page with the woocs_reset parameter appended. Furthermore, the absence of nonce verification makes the vulnerability exploitable via Cross-Site Request Forgery (CSRF) against administrators. Subscriber-level users can also exploit the vulnerability if the WordPress site is configured to permit Subscriber access to ‘wp-admin’ pages. This vulnerability poses a risk to websites utilizing the affected plugin, potentially leading to data loss and disruption of e-commerce operations.

Attack Chain

  1. An attacker identifies a WordPress website using a vulnerable version (<= 1.4.5) of the FOX – Currency Switcher Professional for WooCommerce plugin.
  2. The attacker authenticates to the WordPress site with Contributor-level or higher privileges.
  3. Alternatively, the attacker identifies an administrator user and prepares a CSRF attack.
  4. The attacker crafts a malicious URL including the woocs_reset parameter.
  5. The attacker sends the crafted URL to the administrator (CSRF) or directly accesses it through the authenticated session.
  6. The admin_head function executes without proper capability checks.
  7. The multi-currency configuration data is deleted.
  8. The website’s multi-currency functionality is disrupted, potentially impacting sales and user experience.

Impact

Successful exploitation of CVE-2026-4094 leads to the deletion of the multi-currency configuration within the FOX – Currency Switcher Professional for WooCommerce plugin. This results in a loss of website functionality related to currency switching, potentially causing financial losses and negatively impacting the user experience. The number of affected sites is dependent on the adoption rate of the vulnerable plugin.

Recommendation

  • Upgrade the FOX – Currency Switcher Professional for WooCommerce plugin to the latest available version to patch CVE-2026-4094.
  • Apply the Sigma rule “Detect WordPress FOX - Currency Switcher Plugin Reset via woocs_reset Parameter” to identify potential exploitation attempts.
  • Monitor web server logs for requests containing the woocs_reset parameter within the URL to detect potential unauthorized configuration resets.
  • Implement and enforce strong CSRF protection measures on all administrative WordPress pages.
]]>mediumadvisorywordpresswoocommerceplugincsrfdata-losscve-2026-4094