CVE-2026-9241
Description
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the get_value() function in classes/fixed/fixed_user_role.php trusting the attacker-controlled $_REQUEST['wooc_order_user_roles'] parameter to determine the user's role context for role-based price resolution without any validation, allowing it to override the legitimate role data derived from the authenticated user's session object via $user->roles. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate higher-privileged roles — such as wholesale customer or administrator — and obtain discounted or otherwise restricted pricing that should not be available to their actual role. This vulnerability only has practical impact when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The FOX Currency Switcher plugin for WooCommerce allows authenticated attackers to bypass role-based pricing by manipulating a request parameter, enabling unauthorized discounts.
Vulnerability
The FOX – Currency Switcher Professional for WooCommerce plugin (versions ≤1.4.6) contains an authorization bypass vulnerability in the get_value() function within classes/fixed/fixed_user_role.php. The function uses the attacker-controlled $_REQUEST['wooc_order_user_roles'] parameter to determine the user's role context for role-based price resolution, without validating it against the authenticated user's actual roles from the session object via $user->roles [1][2]. This allows the parameter to override legitimate role data. The vulnerability is exploitable only when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured.
Exploitation
An authenticated attacker with at least Subscriber-level access can send a crafted request containing the wooc_order_user_roles parameter set to a higher-privileged role (e.g., administrator or wholesale_customer). The plugin's get_value() function trusts this parameter without validation, causing the system to apply pricing intended for that higher role. No additional authentication or user interaction is required beyond being logged in.
Impact
Successful exploitation allows the attacker to view and potentially purchase products at discounted or restricted prices that are only intended for higher-privileged roles. This can lead to unauthorized financial gain or access to exclusive pricing tiers. The impact is limited to price manipulation; no direct code execution or data breach is reported.
Mitigation
The vendor has not yet released a patched version as of the publication date (2026-05-28). Users should disable the fixed user-role pricing feature if not needed, or restrict access to the plugin until an update is available. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog at this time.
AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=1.4.6
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation in the `get_value()` function allows an attacker-controlled request parameter to override the authenticated user's role data for role-based price resolution."
Attack vector
An authenticated attacker with Subscriber-level access or above sends a crafted HTTP request that includes the `$_REQUEST['wooc_order_user_roles']` parameter set to a higher-privileged role name (e.g., `administrator` or `wholesale_customer`). The `get_value()` function in `classes/fixed/fixed_user_role.php` uses this user-controlled key directly, bypassing the actual role data from the authenticated user's session. This allows the attacker to obtain discounted or restricted pricing that should only be available to higher-privileged roles. The attack is only practical when the fixed user-role pricing feature is enabled (`woocs_is_fixed_user_role` option is set) and at least one product has a privileged-role price configured [ref_id=1].
Affected code
The vulnerability resides in the `get_value()` function in `classes/fixed/fixed_user_role.php`. This function trusts the attacker-controlled `$_REQUEST['wooc_order_user_roles']` parameter to determine the user's role context for role-based price resolution without any validation, allowing it to override the legitimate role data derived from the authenticated user's session object via `$user->roles` [ref_id=1].
What the fix does
The advisory does not include a patch diff. The recommended remediation is to add validation in the `get_value()` function in `classes/fixed/fixed_user_role.php` so that the user's role is derived exclusively from the authenticated user's session object (`$user->roles`) rather than from the attacker-controlled `$_REQUEST['wooc_order_user_roles']` parameter. Any user-supplied role value should be ignored or validated against the actual roles of the authenticated user before being used for price resolution [ref_id=1].
Preconditions
- authThe attacker must be authenticated with at least Subscriber-level access to the WordPress site.
- configThe fixed user-role pricing feature must be enabled (woocs_is_fixed_user_role option set to true).
- configAt least one product must have a privileged-role price configured (e.g., a wholesale or administrator price).
- networkThe attacker must be able to send HTTP requests with arbitrary request parameters (GET or POST).
Generated on May 28, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/fixed/fixed_user_role.phpnvd
- plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/fixed/fixed_user_role.phpnvd
- plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/woocs.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/1c8c1fec-0e87-46f7-83c5-8f9e9aa97b4fnvd
News mentions
0No linked articles in our index yet.