CVE-2025-2169

Vulnerability

The WPCS – WordPress Currency Switcher Professional plugin for WordPress contains an arbitrary shortcode execution vulnerability in all versions up to and including 1.2.0.4. The flaw exists because the plugin allows users to trigger an action that passes a value to do_shortcode without proper validation or sanitization. This is present in the plugin's code at index.php around line 1920 [1]. Any shortcode registered in WordPress can be called, including those that perform sensitive operations.

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted request to the vulnerable WordPress site. The attacker does not need any special privileges or prior authentication. The specific action that triggers the insecure do_shortcode call is exposed to unauthenticated users. By manipulating the request parameters, the attacker can supply arbitrary shortcode strings that the plugin will execute.

Impact

Successful exploitation allows an attacker to execute arbitrary WordPress shortcodes. Depending on the shortcodes available on the site, this can lead to a variety of severe outcomes, including information disclosure, file deletion, content injection, privilege escalation, or remote code execution if a shortcode with such capabilities exists (e.g., from other plugins). The attacker gains the ability to run any registered shortcode without any authentication.

Mitigation

The vendor has released a patched version. Users should update to version 1.2.0.5 or later, which fixes the vulnerability. The patch was made available on the WordPress plugin repository on 2025-03-11. There is no workaround available for sites running an affected version; updating is the only mitigation. This CVE is not listed in the CISA Known Exploited Vulnerabilities catalog as of the publication date.