WordPress Plugin Vulnerabilities

WPCS – WordPress Currency Switcher Professional < 1.2.0 - Subscriber+ Missing Authorization Checks

Description

The plugin does not prevent any logged-in users, like subscribers, from creating, editing, or deleting custom drop-down currency switchers.

Affects Plugins

Plugin icon
currency-switcher
Fixed in 1.2.0

References

CVE
CVE-2023-2557

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Alex Thomas
Verified
No
WPVDB ID
b9cb8191-f74e-4eb7-9974-34f7d828c44b

Timeline

Publicly Published
2023-05-12 (about 3 years ago)
Added
2023-06-09 (about 2 years ago)
Last Updated
2023-06-09 (about 2 years ago)

Other

Published
Title
Published
2023-11-28
Title
WCMultiShipping < 2.3.8 - Subscriber+ Arbitrary Account Credentials Test
Published
2026-02-18
Title
The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce < 6.4.8 - Incorrect Authorization to Authenticated (Author+) Arbitrary Draft Post Creation via 'post_type'
Published
2025-08-27
Title
Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection < 11.59 - Insufficient Authorization to Unauthenticated Blocklist Bypass
Published
2024-12-16
Title
Easy Digital Downloads 3.1 - 3.3.4 - Improper Authorization to Paywall Bypass
Published
2025-03-03
Title
Ultimate WordPress Auction Plugin < 4.3.0 - Contributor+ Arbitrary Post Deletion