Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-11778

CVE-2026-11778: CURCY WordPress Plugin RCE Vulnerability

CVE-2026-11778 is a remote code execution vulnerability in the CURCY Multi Currency for WooCommerce WordPress plugin. Unauthenticated attackers can execute arbitrary shortcodes. This article covers technical details, affected versions, and mitigations.

Published:

CVE-2026-11778 Overview

CVE-2026-11778 is an arbitrary shortcode execution vulnerability in the CURCY – Multi Currency for WooCommerce plugin for WordPress. The flaw affects all plugin versions up to and including 2.2.14. The plugin fails to properly validate user-supplied input before passing it to WordPress do_shortcode(), enabling attackers to execute arbitrary shortcodes on the site. The weakness maps to CWE-94: Improper Control of Generation of Code. Exploitation requires network access and low-privileged authentication but no user interaction.

Critical Impact

Authenticated attackers with low privileges can trigger arbitrary WordPress shortcodes through the plugin's cache handler, potentially exposing sensitive site data or abusing shortcode-driven functionality across WooCommerce storefronts.

Affected Products

  • CURCY – Multi Currency for WooCommerce plugin for WordPress
  • All versions up to and including 2.2.14
  • WooCommerce sites running the vulnerable woo-multi-currency plugin

Discovery Timeline

  • 2026-07-03 - CVE-2026-11778 published to NVD
  • 2026-07-06 - Last updated in NVD database

Technical Details for CVE-2026-11778

Vulnerability Analysis

The vulnerability resides in the plugin's frontend cache handler at frontend/cache.php. The plugin exposes an action that accepts a user-controlled value and passes it directly to WordPress do_shortcode() without validating that the value corresponds to a safe, expected shortcode. Because do_shortcode() parses and executes any registered shortcode present in the supplied string, an attacker can inject shortcode syntax such as [shortcode_name attr="value"] and force the site to render it. This turns a caching feature into an execution primitive for arbitrary registered shortcodes.

The impact depends on which shortcodes are registered by WordPress core, WooCommerce, and other installed plugins. Shortcodes commonly expose product data, user information, form handling, or configuration output, which broadens the reachable attack surface.

Root Cause

The root cause is missing input validation before code generation, classified under [CWE-94]. The affected code path in cache.php (lines 18, 99, and 108) does not enforce an allowlist of permitted shortcodes or sanitize the incoming parameter before invoking do_shortcode(). Any authenticated user meeting the low-privilege requirement can supply arbitrary shortcode strings.

Attack Vector

The attack is remote and network-based. An authenticated attacker with low privileges sends a crafted request to the plugin's action endpoint containing shortcode syntax in the vulnerable parameter. The plugin processes the request through its cache handler, evaluates the supplied string via do_shortcode(), and returns or stores the rendered output. No user interaction is required. The confidentiality and integrity impacts are limited to what reachable shortcodes expose or modify.

See the WordPress Plugin Code Review at line 108 and the Wordfence Vulnerability Analysis for the exact call sites.

Detection Methods for CVE-2026-11778

Indicators of Compromise

  • Requests to CURCY plugin AJAX or action endpoints containing bracketed shortcode syntax such as [ and ] in parameter values
  • Unexpected rendered shortcode output appearing in cached responses generated by woo-multi-currency
  • Authenticated sessions from low-privilege accounts (Subscriber or Customer) invoking currency cache actions repeatedly

Detection Strategies

  • Inspect WordPress access logs for POST or GET requests to plugin endpoints under woo-multi-currency carrying URL-encoded %5B or %5D characters in parameters
  • Enable WordPress debug logging and monitor calls to do_shortcode() originating from frontend/cache.php
  • Deploy a web application firewall rule that blocks shortcode delimiters in requests targeting the plugin's action handlers

Monitoring Recommendations

  • Alert on newly created low-privilege accounts followed by requests to the plugin's cache endpoints
  • Track anomalous cache-population traffic volume against CURCY endpoints from single sessions or IPs
  • Correlate shortcode-execution attempts with subsequent access to sensitive WooCommerce data endpoints

How to Mitigate CVE-2026-11778

Immediate Actions Required

  • Update the CURCY – Multi Currency for WooCommerce plugin to a version later than 2.2.14 once the vendor releases a patched build
  • Audit registered WordPress accounts and remove unnecessary low-privilege users who could authenticate and reach the vulnerable action
  • Review WooCommerce and third-party shortcodes registered on the site to understand the exposure if execution occurs

Patch Information

At the time of publication, no vendor patch URL is listed in the NVD entry. Site administrators should monitor the plugin's WordPress.org repository and the Wordfence Vulnerability Analysis advisory for release information and apply the fixed version as soon as it becomes available.

Workarounds

  • Deactivate the CURCY – Multi Currency for WooCommerce plugin until a patched release is available if multi-currency functionality is not business-critical
  • Add a web application firewall rule that blocks shortcode delimiter characters in requests to admin-ajax.php actions and endpoints associated with woo-multi-currency
  • Restrict registration and lower default role assignments so unauthenticated visitors cannot obtain the authenticated context required for exploitation
bash
# Example WAF rule pattern for ModSecurity blocking shortcode delimiters
# on CURCY plugin endpoints
SecRule REQUEST_URI "@contains woo-multi-currency" \
    "chain,deny,status:403,id:1026117780,msg:'CVE-2026-11778 shortcode injection attempt'"
    SecRule ARGS "@rx \[[a-zA-Z0-9_\-]+"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.