WordPress Plugin Vulnerabilities

YayCurrency < 3.3.1 - Missing Authorization to Unauthenticated Arbitrary Post Deletion

Description

The YayCurrency – WooCommerce Multi-Currency Switcher plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on a function in all versions up to, and including, 3.3. This makes it possible for unauthenticated attackers to delete arbitrary posts.

Affects Plugins

Plugin icon
yaycurrency
Fixed in 3.3.1

References

CVE
CVE-2025-67994
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/08fcba30-d28a-4e92-b7cd-ef1a4f37faf9

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Denver Jackson
Verified
No
WPVDB ID
f9cc10de-8a98-4b5d-bbea-8de58d82b1eb

Timeline

Publicly Published
2026-02-09 (about 3 months ago)
Added
2026-02-17 (about 3 months ago)
Last Updated
2026-02-17 (about 3 months ago)

Other

Published
Title
Published
2025-01-23
Title
Sastra Essential Addons for Elementor – Free Elementor Addons, Widgets and Templates < 1.0.15 - Missing Authorization to Spexo Theme Install
Published
2022-07-11
Title
YaySMTP < 2.2.1 - Subscriber+ SMTP Credentials Leak
Published
2022-06-06
Title
XCloner < 4.3.6 - Plugin Settings Reset
Published
2025-12-01
Title
Get Cash <= 3.2.3 - Missing Authorization
Published
2024-12-02
Title
WP Mailster < 1.8.17.0 - Missing Authorization