CVE-2026-4094: WooCommerce Currency Switcher Plugin Vulnerable to Data Loss
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is exposed to unauthorized data loss, according to the National Vulnerability Database. All versions up to and including 1.4.5 lack a capability check on the admin_head function, enabling authenticated attackers with Contributor-level access or higher to wipe the entire multi-currency configuration.
This exploit requires only visiting any wp-admin page with the woocs_reset parameter appended. The vulnerability, tracked as CVE-2026-4094, also has a critical Cross-Site Request Forgery (CSRF) vector due to the absence of a nonce verification. This means an attacker can trick an administrator into triggering the data loss. Furthermore, if a site is configured to allow Subscriber-level users access to wp-admin pages, even these lower-privileged accounts can exploit the flaw.
The National Vulnerability Database assigns a CVSS score of 8.1 (HIGH) to this vulnerability, highlighting its severe impact on data integrity. The core issue is a missing authorization check (CWE-862), a common pitfall that allows lower-privileged users to execute administrative functions.
What This Means For You
- If your organization uses the FOX – Currency Switcher Professional for WooCommerce plugin, you need to verify its version immediately. This isn't just about a minor configuration tweak; an attacker can completely destroy your multi-currency setup, causing significant operational disruption and potential financial impact. Patching or disabling this plugin is a priority.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-4094: WooCommerce Currency Switcher Data Loss via woocs_reset parameter
title: CVE-2026-4094: WooCommerce Currency Switcher Data Loss via woocs_reset parameter
id: scw-2026-05-15-ai-1
status: experimental
level: high
description: |
Detects the specific parameter 'woocs_reset' being used in conjunction with a '/wp-admin/' URI, which is the known exploit vector for CVE-2026-4094 to cause data loss in the WooCommerce Currency Switcher plugin. This rule targets authenticated users with Contributor-level access or above, or potentially Subscriber-level users if wp-admin access is permitted.
author: SCW Feed Engine (AI-generated)
date: 2026-05-15
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-4094/
tags:
- attack.impact
- attack.t1531
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- 'woocs_reset'
cs-uri|contains:
- '/wp-admin/'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-4094 | Auth Bypass | FOX - Currency Switcher Professional for WooCommerce plugin <= 1.4.5 |
| CVE-2026-4094 | Data Loss | Missing capability check on 'admin_head' function |
| CVE-2026-4094 | CSRF | No nonce verification for 'woocs_reset' parameter |
| CVE-2026-4094 | Data Loss | Authenticated attackers (Contributor+ or Subscriber if wp-admin access) can delete multi-currency configuration via 'woocs_reset' parameter |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 15, 2026 at 10:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6646 — Cross-Site Scripting (XSS)
CVE-2026-6646 — The The7 theme for WordPress is vulnerable to Stored Cross-Site Scripting via the 'dt_default_button' shortcode in all versions up to, and including, 14.3.2....
VMware Fusion TOCTOU Flaw Grants Root Privileges
CVE-2026-41702 — VMware Fusion contains a TOCTOU (Time-of-check Time-of-use) vulnerability that occurs during an operation performed by a SETUID binary. A malicious actor with local non-administrative user...
Musetheque V4 CSRF Vulnerability (CVE-2026-28761) Poses High Risk
CVE-2026-28761 — Cross-site request forgery vulnerability exists in Musetheque V4 Information Disclosure for IPKNOWLEDGE V4L1 rev2203.0 and earlier. If a user views a malicious page...