CVE-2026-9241 MEDIUM

CVE-2026-9241: FOX – Currency Switcher Professional for WooCommerce <= 1.4.6 - Authenticated (Subscriber+) Authorization Bypass via User-Controlled Key to 'wooc_order_user_roles' Parameter

Vendor Realmag777
Product FOX – Currency Switcher Professional for WooCommerce
Weakness CWE-639 · IDOR
Published May 28, 2026
Last update May 28, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the `get_value()` function in `classes/fixed/fixed_user_role.php` trusting the attacker-controlled `$_REQUEST['wooc_order_user_roles']` parameter to determine the user's role context for role-based price resolution without any validation, allowing it to override the legitimate role data derived from the authenticated user's session object via `$user->roles`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate higher-privileged roles — such as wholesale customer or administrator — and obtain discounted or otherwise restricted pricing that should not be available to their actual role. This vulnerability only has practical impact when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured.

Explanation of Vulnerability in Simple Terms

02Summary

FOX – Currency Switcher Professional for WooCommerce versions 1.4.6 and earlier contain an authorization flaw that allows authenticated users to modify data they should not have access to. An attacker with a low-privilege account can alter settings or content through the plugin's interface. The vulnerability requires an active user account but no additional user interaction.

What an attacker can do

03Attacker Capabilities

Modify plugin settings or data without proper authorization checks.

Potential impact on your site

04Site Impact

Unauthorized users can alter currency settings, pricing, or other plugin configuration affecting store operations.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WooCommerce user account (e.g., customer or subscriber).

Key dates

06Disclosure timeline

May 28, 2026 CVE published
May 28, 2026 Record updated

Related vulnerabilities

08Related CVE