CVE-2026-32410

The WBW Currency Switcher for WooCommerce plugin (versions up to and including 2.2.5) contains a missing authorization vulnerability. This broken access control issue stems from the lack of proper permission checks or nonce validation in certain functions, allowing unauthenticated users to perform actions that should require higher privileges [1].

The attack surface is accessible via HTTP requests to the vulnerable plugin endpoints. No authentication is required, and the attack does not require any special network position—any remote attacker can exploit this vulnerability. The exploitation is facilitated by the fact that the plugin may not enforce access control on its AJAX actions or admin-facing functionality [1].

An attacker exploiting this vulnerability can leverage the broken access control to execute unauthorized actions within the context of the WordPress installation. While the CVSS score of 5.3 indicates medium severity, such vulnerabilities are commonly used in mass-exploit campaigns against thousands of websites [1].

The vulnerability has been patched in version 2.2.6. Users are strongly advised to update to the latest version immediately. For those unable to update, implementing web application firewall rules or consulting with hosting providers may provide temporary protection [1].