CVE-2026-11778 Overview
CVE-2026-11778 is an arbitrary shortcode execution vulnerability in the CURCY – Multi Currency for WooCommerce plugin for WordPress. The flaw affects all plugin versions up to and including 2.2.14. The plugin fails to properly validate user-supplied input before passing it to WordPress do_shortcode(), enabling attackers to execute arbitrary shortcodes on the site. The weakness maps to CWE-94: Improper Control of Generation of Code. Exploitation requires network access and low-privileged authentication but no user interaction.
Critical Impact
Authenticated attackers with low privileges can trigger arbitrary WordPress shortcodes through the plugin's cache handler, potentially exposing sensitive site data or abusing shortcode-driven functionality across WooCommerce storefronts.
Affected Products
- CURCY – Multi Currency for WooCommerce plugin for WordPress
- All versions up to and including 2.2.14
- WooCommerce sites running the vulnerable woo-multi-currency plugin
Discovery Timeline
- 2026-07-03 - CVE-2026-11778 published to NVD
- 2026-07-06 - Last updated in NVD database
Technical Details for CVE-2026-11778
Vulnerability Analysis
The vulnerability resides in the plugin's frontend cache handler at frontend/cache.php. The plugin exposes an action that accepts a user-controlled value and passes it directly to WordPress do_shortcode() without validating that the value corresponds to a safe, expected shortcode. Because do_shortcode() parses and executes any registered shortcode present in the supplied string, an attacker can inject shortcode syntax such as [shortcode_name attr="value"] and force the site to render it. This turns a caching feature into an execution primitive for arbitrary registered shortcodes.
The impact depends on which shortcodes are registered by WordPress core, WooCommerce, and other installed plugins. Shortcodes commonly expose product data, user information, form handling, or configuration output, which broadens the reachable attack surface.
Root Cause
The root cause is missing input validation before code generation, classified under [CWE-94]. The affected code path in cache.php (lines 18, 99, and 108) does not enforce an allowlist of permitted shortcodes or sanitize the incoming parameter before invoking do_shortcode(). Any authenticated user meeting the low-privilege requirement can supply arbitrary shortcode strings.
Attack Vector
The attack is remote and network-based. An authenticated attacker with low privileges sends a crafted request to the plugin's action endpoint containing shortcode syntax in the vulnerable parameter. The plugin processes the request through its cache handler, evaluates the supplied string via do_shortcode(), and returns or stores the rendered output. No user interaction is required. The confidentiality and integrity impacts are limited to what reachable shortcodes expose or modify.
See the WordPress Plugin Code Review at line 108 and the Wordfence Vulnerability Analysis for the exact call sites.
Detection Methods for CVE-2026-11778
Indicators of Compromise
- Requests to CURCY plugin AJAX or action endpoints containing bracketed shortcode syntax such as [ and ] in parameter values
- Unexpected rendered shortcode output appearing in cached responses generated by woo-multi-currency
- Authenticated sessions from low-privilege accounts (Subscriber or Customer) invoking currency cache actions repeatedly
Detection Strategies
- Inspect WordPress access logs for POST or GET requests to plugin endpoints under woo-multi-currency carrying URL-encoded %5B or %5D characters in parameters
- Enable WordPress debug logging and monitor calls to do_shortcode() originating from frontend/cache.php
- Deploy a web application firewall rule that blocks shortcode delimiters in requests targeting the plugin's action handlers
Monitoring Recommendations
- Alert on newly created low-privilege accounts followed by requests to the plugin's cache endpoints
- Track anomalous cache-population traffic volume against CURCY endpoints from single sessions or IPs
- Correlate shortcode-execution attempts with subsequent access to sensitive WooCommerce data endpoints
How to Mitigate CVE-2026-11778
Immediate Actions Required
- Update the CURCY – Multi Currency for WooCommerce plugin to a version later than 2.2.14 once the vendor releases a patched build
- Audit registered WordPress accounts and remove unnecessary low-privilege users who could authenticate and reach the vulnerable action
- Review WooCommerce and third-party shortcodes registered on the site to understand the exposure if execution occurs
Patch Information
At the time of publication, no vendor patch URL is listed in the NVD entry. Site administrators should monitor the plugin's WordPress.org repository and the Wordfence Vulnerability Analysis advisory for release information and apply the fixed version as soon as it becomes available.
Workarounds
- Deactivate the CURCY – Multi Currency for WooCommerce plugin until a patched release is available if multi-currency functionality is not business-critical
- Add a web application firewall rule that blocks shortcode delimiter characters in requests to admin-ajax.php actions and endpoints associated with woo-multi-currency
- Restrict registration and lower default role assignments so unauthenticated visitors cannot obtain the authenticated context required for exploitation
# Example WAF rule pattern for ModSecurity blocking shortcode delimiters
# on CURCY plugin endpoints
SecRule REQUEST_URI "@contains woo-multi-currency" \
"chain,deny,status:403,id:1026117780,msg:'CVE-2026-11778 shortcode injection attempt'"
SecRule ARGS "@rx \[[a-zA-Z0-9_\-]+"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

