CVE-2026-11778
MEDIUMCURCY <= 2.2.14 - Unauthenticated Arbitrary Shortcode Execution via 'exchange' Parameter
Title source: cnaDescription
The The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
References (4)
Core 4
Core References
Scores
CVSS v3
5.4
EPSS
0.0026
EPSS Percentile
16.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-94
Status
published
Products (1)
villatheme/CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x
< 2.2.14
Published
Jul 03, 2026
Tracked Since
Jul 03, 2026