FOX – Currency Switcher Professional for WooCommerce <= 1.4.2.1 - Unauthenticated Arbitrary Shortcode Execution

Vulnerability

The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress versions up to and including 1.4.2.1 contains an arbitrary shortcode execution vulnerability in the woocs_get_custom_price_html function. The plugin fails to properly validate a value before passing it to the WordPress do_shortcode function, allowing unauthenticated attackers to execute arbitrary shortcodes [1].

Exploitation

An attacker does not require authentication or any special network position beyond standard HTTP access to the WordPress instance. By crafting a specially crafted request that triggers the woocs_get_custom_price_html function with an uncontrolled shortcode input, the attacker can supply arbitrary shortcode syntax that WordPress will evaluate and execute [1].

Impact

Successful exploitation allows an unauthenticated attacker to execute any WordPress shortcode, including those provided by other plugins or themes. This can lead to data disclosure, file writes, privilege escalation, or remote code execution depending on the available shortcodes in the environment [1].

Mitigation

The vendor has released version 1.4.3 to address this vulnerability; users should update to that version or later [1]. No workaround is documented. The plugin is not listed in CISA's Known Exploited Vulnerabilities catalog as of this writing.