WordPress Plugin Vulnerabilities

FOX – Currency Switcher Professional for WooCommerce < 1.4.1.7 - Subscriber+ Stored XSS

Description

The plugin does not sanitise and escape its currency options parameters, which could allow any authenticated users, such as subscribers to perform Stored Cross-Site Scripting attacks

Affects Plugins

Plugin icon
woocommerce-currency-switcher
Fixed in 1.4.1.7

References

CVE
CVE-2023-6556
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/8cb37019-33f6-4f72-adfc-befbfbf69e47

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
6.4 (medium)

Miscellaneous

Original Researcher
Lucio Sá
Verified
No
WPVDB ID
c350ea99-91b9-40c8-9163-9aa0f3450861

Timeline

Publicly Published
2023-12-23 (about 2 years ago)
Added
2023-12-26 (about 2 years ago)
Last Updated
2023-12-26 (about 2 years ago)

Other

Published
Title
Published
2024-10-09
Title
WP Builder <= 3.0.7 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Upload
Published
2025-01-21
Title
Picture Gallery – Frontend Image Uploads, AJAX Photo List < 1.5.20 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-08-18
Title
Nexter Blocks < 4.5.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets
Published
2025-09-08
Title
Mikado Core < 1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Published
2024-03-06
Title
User Registration – Custom Registration Form, Login Form, and User Profile WordPress Plugin < 3.1.5 - Unauthenticated Stored Self-Based Cross-Site Scripting