CVE-2026-9241: WooCommerce Currency Switcher Auth Bypass

CVE-2026-9241 Overview

CVE-2026-9241 affects the FOX – Currency Switcher Professional for WooCommerce plugin for WordPress in all versions up to and including 1.4.6. The plugin trusts an attacker-controlled $_REQUEST['wooc_order_user_roles'] parameter to determine role context for price resolution. Authenticated users with Subscriber-level access can impersonate higher-privileged roles such as wholesale customer or administrator. This lets them obtain discounted or restricted pricing tied to roles they do not hold. The flaw is classified as Authorization Bypass Through User-Controlled Key [CWE-639].

Critical Impact

Authenticated attackers with Subscriber permissions can bypass role-based pricing controls and purchase products at prices reserved for privileged roles when fixed user-role pricing is enabled.

Affected Products

• FOX – Currency Switcher Professional for WooCommerce plugin for WordPress
• All versions up to and including 1.4.6
• WordPress sites with the fixed user-role pricing feature enabled

Discovery Timeline

• 2026-05-28 - CVE-2026-9241 published to NVD
• 2026-05-28 - Last updated in NVD database

Technical Details for CVE-2026-9241

Vulnerability Analysis

The vulnerability resides in the get_value() function within classes/fixed/fixed_user_role.php. This function resolves a product's price based on the requesting user's role context. Instead of deriving the role exclusively from the authenticated session, the function reads the wooc_order_user_roles parameter directly from $_REQUEST. The supplied value overrides the legitimate role data taken from $user->roles on the server-side session object.

An authenticated attacker with Subscriber-level access submits a crafted request that injects a privileged role name. The plugin honors the user-supplied role and returns the price tied to that role tier. The impact is limited to integrity of pricing data — no confidentiality or availability impact occurs.

Exploitation requires two preconditions. The fixed user-role pricing feature must be enabled. At least one product must have a privileged-role price configured for the impersonated role.

Root Cause

The root cause is missing authorization validation on a user-controlled key. The get_value() function treats the request parameter as an authoritative source of identity instead of cross-checking it against the authenticated user's actual roles. This pattern matches [CWE-639] Authorization Bypass Through User-Controlled Key.

Attack Vector

The attack vector is network-based and requires low-privileged authentication. An attacker logs in as a Subscriber, then issues a request containing wooc_order_user_roles set to a target role such as administrator or a wholesale tier. The plugin returns price values reserved for that role. See the Wordfence Vulnerability Report and the vulnerable source line for technical details.

No public proof-of-concept exploit code is referenced in the advisory. The vulnerability mechanism is documented in the plugin source files referenced in the WordPress plugin trac.

Detection Methods for CVE-2026-9241

Indicators of Compromise

• HTTP requests containing the wooc_order_user_roles parameter from users whose session role does not match the supplied value
• WooCommerce orders completed by Subscriber-level accounts at prices configured for wholesale or administrator roles
• Repeated price-lookup requests from a single low-privileged account testing multiple role values

Detection Strategies

• Inspect web server and application logs for $_REQUEST parameters named wooc_order_user_roles and correlate the supplied role with the authenticated session role
• Compare order line-item prices against the price tier permitted for the purchasing account's actual WordPress role
• Audit WooCommerce order history for price anomalies on products with role-based pricing configured

Monitoring Recommendations

• Enable verbose logging on WordPress and WooCommerce, including request parameter capture for plugin endpoints
• Alert on mismatches between session-derived role and any role identifier passed in request bodies or query strings
• Track installations of the FOX – Currency Switcher Professional plugin and flag versions at or below 1.4.6

How to Mitigate CVE-2026-9241

Immediate Actions Required

• Update the FOX – Currency Switcher Professional for WooCommerce plugin to a version above 1.4.6 that addresses this issue
• Disable the fixed user-role pricing feature until the patched version is installed if updates cannot be applied immediately
• Review recent orders placed by Subscriber-level accounts on products with role-based pricing for fraudulent pricing

Patch Information

The vendor addressed the flaw in the WordPress.org plugin repository. Review the WordPress Change Log Entry for the specific code changes that remove trust in the wooc_order_user_roles request parameter.

Workarounds

• Remove privileged-role price entries from all WooCommerce products if updating is not feasible
• Add a web application firewall rule blocking requests that contain the wooc_order_user_roles parameter from non-administrator sessions
• Restrict account creation and registration to trusted users to limit the pool of Subscribers that could exploit the flaw

# Example WAF rule (ModSecurity) blocking the user-controlled role parameter
SecRule ARGS_NAMES "@streq wooc_order_user_roles" \
    "id:1009241,phase:2,deny,status:403,\
    msg:'CVE-2026-9241 - blocked wooc_order_user_roles override'"