CVE-2026-9241
Received Received - Intake
Authorization Bypass in FOX Currency Switcher for WooCommerce

Publication date: 2026-05-28

Last updated on: 2026-05-28

Assigner: Wordfence

Description
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the `get_value()` function in `classes/fixed/fixed_user_role.php` trusting the attacker-controlled `$_REQUEST['wooc_order_user_roles']` parameter to determine the user's role context for role-based price resolution without any validation, allowing it to override the legitimate role data derived from the authenticated user's session object via `$user->roles`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate higher-privileged roles β€” such as wholesale customer or administrator β€” and obtain discounted or otherwise restricted pricing that should not be available to their actual role. This vulnerability only has practical impact when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-05-28
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-9241
EUVD
EUVD-2026-32703
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
fox currency_switcher_professional to 1.4.6 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-639 The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress has a vulnerability called Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6.

This happens because the plugin's get_value() function trusts an attacker-controlled parameter ($_REQUEST['wooc_order_user_roles']) to determine the user's role context for pricing without validating it.

As a result, an authenticated attacker with Subscriber-level access or higher can impersonate higher-privileged roles like wholesale customer or administrator, allowing them to access discounted or restricted pricing that should not be available to their actual role.

This vulnerability only has practical impact when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured.

Impact Analysis

This vulnerability allows attackers with low-level authenticated access (Subscriber or above) to impersonate higher-privileged user roles.

By doing so, they can obtain discounted or otherwise restricted pricing intended only for privileged roles such as wholesale customers or administrators.

This can lead to financial loss for the business due to unauthorized discounts and pricing manipulation.

Compliance Impact

The vulnerability allows authenticated users with Subscriber-level access and above to impersonate higher-privileged roles and obtain restricted pricing. However, there is no information provided about any impact on data privacy, personal data exposure, or regulatory compliance such as GDPR or HIPAA.

Therefore, based on the provided information, it is not possible to determine how this vulnerability affects compliance with common standards and regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9241. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart