CVE-2026-4094: FOX Currency Switcher Auth Bypass Flaw

CVE-2026-4094 Overview

CVE-2026-4094 affects the FOX – Currency Switcher Professional for WooCommerce plugin for WordPress in all versions up to and including 1.4.5. The flaw stems from a missing capability check on the admin_head function. Authenticated attackers with Contributor-level access can delete the entire multi-currency configuration by visiting any wp-admin page with the woocs_reset parameter appended. The plugin also lacks nonce verification, making the issue exploitable through Cross-Site Request Forgery (CSRF) against any administrator. Subscriber-level users may also exploit the flaw on sites configured to allow Subscriber access to wp-admin pages. The vulnerability falls under [CWE-862: Missing Authorization].

Critical Impact

Low-privileged authenticated users or CSRF-targeted administrators can destroy the entire multi-currency configuration of a WooCommerce store, disrupting pricing, conversions, and customer-facing checkout flows.

Affected Products

• FOX – Currency Switcher Professional for WooCommerce (WordPress plugin)
• All versions up to and including 1.4.5
• Sites allowing Contributor-level (or Subscriber-level with wp-admin access) authenticated users

Discovery Timeline

• 2026-05-15 - CVE-2026-4094 published to NVD
• 2026-05-15 - Last updated in NVD database

Technical Details for CVE-2026-4094

Vulnerability Analysis

The flaw resides in the plugin's admin_head handler, located in classes/woocs.php around lines 1167–1168. The function executes a reset of the multi-currency configuration when the woocs_reset query parameter is present on any administrative page request. The handler does not validate that the requesting user holds an appropriate administrative capability, nor does it verify a WordPress nonce associated with the action.

Because admin_head fires on any wp-admin page render, the destructive reset path is reachable from any endpoint a low-privileged user can load. The result is unauthorized data loss: the stored currency definitions, conversion rates, and switcher configuration are wiped without confirmation.

Root Cause

The root cause is a Broken Access Control issue [CWE-862]. The plugin trusts the presence of the woocs_reset request parameter as sufficient authorization for a destructive action. Two controls are absent: a current_user_can() capability check (for example, against manage_woocommerce or manage_options) and a wp_verify_nonce() call tied to the reset action. The combination converts a routine query string into an unauthenticated-style destructive operation for any session loading the admin area.

Attack Vector

A Contributor-level user authenticates to WordPress and requests any wp-admin URL with ?woocs_reset=1 appended. The admin_head hook fires, the reset logic runs, and the configuration is deleted. Alternatively, an attacker hosts a page that triggers an authenticated administrator's browser to request a wp-admin URL containing the parameter, achieving the same destructive outcome via CSRF. On sites that expose wp-admin to Subscribers, the bar drops further, and any registered customer can trigger the reset.

No verified public proof-of-concept code is published. See the Wordfence Vulnerability Report and the WordPress Plugin Code Review for source-level analysis.

Detection Methods for CVE-2026-4094

Indicators of Compromise

• HTTP requests to any /wp-admin/ URL containing the woocs_reset query parameter from non-administrator sessions.
• Sudden absence or reset of WooCommerce multi-currency configuration entries in the wp_options table.
• Cross-origin Referer headers on wp-admin requests carrying woocs_reset, indicative of CSRF exploitation.

Detection Strategies

• Inspect web server and WordPress access logs for the literal substring woocs_reset in request URIs.
• Correlate the requesting user's role with the request; flag any non-administrator account triggering admin-side resets.
• Monitor WooCommerce settings tables for unexpected truncation or default-value rewrites following an authenticated session event.

Monitoring Recommendations

• Enable WordPress audit logging for option changes affecting woocs_* keys and alert on bulk deletions.
• Add a Web Application Firewall (WAF) rule that blocks or challenges requests to wp-admin containing woocs_reset from non-administrative roles or cross-origin referers.
• Track administrator session activity for unexpected GET requests originating from external domains.

How to Mitigate CVE-2026-4094

Immediate Actions Required

• Update the FOX – Currency Switcher Professional for WooCommerce plugin to the version released in changeset 3483839, which adds the missing capability and nonce checks.
• Audit the current multi-currency configuration and restore from backup if reset activity is detected in logs.
• Review and revoke unnecessary Contributor or Subscriber accounts, particularly on stores that have customized wp-admin access for Subscribers.

Patch Information

The vendor addressed the issue in the plugin update tracked by WordPress Changeset 3483839. Apply any plugin release that supersedes 1.4.5. Confirm the fix is in place by reviewing the patched admin_head handler in classes/woocs.php for the presence of a capability check and wp_verify_nonce() validation.

Workarounds

• If immediate patching is not possible, deploy a WAF rule that blocks requests to wp-admin containing the woocs_reset parameter for all users below Administrator.
• Restrict wp-admin access for Subscriber and Contributor roles using a server-level access control or plugin such as a role manager.
• Maintain frequent backups of WooCommerce option tables to enable rapid restoration if a reset is triggered.

# Example WAF/ModSecurity rule blocking the destructive parameter
SecRule REQUEST_URI "@contains wp-admin" \
    "chain,phase:1,deny,status:403,id:1026409401,\
     msg:'Block CVE-2026-4094 woocs_reset attempt'"
  SecRule ARGS_NAMES "@streq woocs_reset" "t:lowercase"