CVE-2026-42733

Vulnerability

The WPCS (currency-switcher) plugin for WordPress, version 1.3.1 and earlier, contains a DOM-based Cross-Site Scripting (XSS) vulnerability. The issue arises from improper neutralization of user-supplied input during web page generation, allowing an attacker to inject and execute arbitrary scripts in the browser of a victim visiting an affected site.

Exploitation

Exploitation requires no special network position beyond being able to serve a crafted link or page to a logged-in administrator or other user with appropriate privileges. The attacker must trick the victim into clicking a malicious link, visiting a crafted page, or submitting a specially prepared form. The attacker's injected script then executes in the context of the victim's session.

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser. This could be used to steal session cookies, redirect users to malicious sites, deliver advertisements, deface the page, or perform other actions within the security context of the vulnerable site. The CVSS score of 7.1 (High) reflects the potential for significant harm despite requiring user interaction.

Mitigation

The vulnerability is fixed in version 1.3.2 of the WPCS plugin. Users should update immediately. If update is not possible, a mitigation rule from Patchstack can block attacks until the update is applied [1]. No other workarounds are documented. The plugin is actively targeted in mass-exploit campaigns.