CVE-2024-3734

MEDIUM

FOX - Currency Switcher Professional for WooCommerce <1.4.1.8 - RCE

Title source: llm

Description

The FOX – Currency Switcher Professional for WooCommerce plugin is vulnerable to Unauthenticated Arbitrary Shortcode Execution in versions up to, and including, 1.4.1.8. This allows unauthenticated attackers to execute arbitrary shortcodes. The severity and exploitability depends on what other plugins are installed and what shortcode functionality they provide.

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/browser/woocommerce-currency-switcher/trunk/classes/woocs.php#L4154

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3072307%40woocommerce-currency-switcher%2Ftrunk&old=3049249%40woocommerce-currency-switcher%2Ftrunk&sfp_email=&sfph_mail=

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/4c1d49d0-c9aa-401c-80b9-d4df7fe97691?source=cve

Scores

CVSS v3 6.5

EPSS 0.0103

EPSS Percentile 59.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (1)

realmag777/FOX – Currency Switcher Professional for WooCommerce < 1.4.1.8

Published May 02, 2024

Tracked Since Feb 18, 2026