CVE-2026-9241
Authorization Bypass in FOX Currency Switcher for WooCommerce
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fox | currency_switcher_professional | to 1.4.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The FOX β Currency Switcher Professional for WooCommerce plugin for WordPress has a vulnerability called Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6.
This happens because the plugin's get_value() function trusts an attacker-controlled parameter ($_REQUEST['wooc_order_user_roles']) to determine the user's role context for pricing without validating it.
As a result, an authenticated attacker with Subscriber-level access or higher can impersonate higher-privileged roles like wholesale customer or administrator, allowing them to access discounted or restricted pricing that should not be available to their actual role.
This vulnerability only has practical impact when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured.
How can this vulnerability impact me? :
This vulnerability allows attackers with low-level authenticated access (Subscriber or above) to impersonate higher-privileged user roles.
By doing so, they can obtain discounted or otherwise restricted pricing intended only for privileged roles such as wholesale customers or administrators.
This can lead to financial loss for the business due to unauthorized discounts and pricing manipulation.