MEDIUM 4.3

CVE-2026-9241: FOX Currency Switcher WooCommerce Authorization Bypass (User-Controlled Role)

The FOX – Currency Switcher Professional for WooCommerce plugin contains a flaw that lets authenticated users trick the system into thinking they have higher privileges than they actually do. By manipulating a request parameter, a subscriber-level user can impersonate a wholesale customer or administrator to access pricing they shouldn't be able to see. This only matters if your store uses the fixed user-role pricing feature and has set special prices for privileged customer types.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-639
Affected products
0 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Authorization Bypass Through User-Controlled Key in all versions up to and including 1.4.6. This is due to the `get_value()` function in `classes/fixed/fixed_user_role.php` trusting the attacker-controlled `$_REQUEST['wooc_order_user_roles']` parameter to determine the user's role context for role-based price resolution without any validation, allowing it to override the legitimate role data derived from the authenticated user's session object via `$user->roles`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to impersonate higher-privileged roles — such as wholesale customer or administrator — and obtain discounted or otherwise restricted pricing that should not be available to their actual role. This vulnerability only has practical impact when the fixed user-role pricing feature is enabled and at least one product has a privileged-role price configured.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the `get_value()` function within `classes/fixed/fixed_user_role.php`. The plugin uses an attacker-controlled `$_REQUEST['wooc_order_user_roles']` parameter to determine pricing eligibility without validating it against the authenticated user's actual role data from the session object (`$user->roles`). An authenticated attacker can supply arbitrary role values in the request, causing the pricing engine to apply role-based discounts and restrictions associated with roles the attacker does not possess. The flaw is an Authorization Bypass through User-Controlled Key (CWE-639), classified as Medium severity (CVSS 3.1: 4.3).

Business impact

E-commerce stores using this plugin risk revenue loss through unauthorized discount redemption. Attackers with basic subscriber accounts can access wholesale pricing or other privileged pricing tiers without legitimate authorization. The financial exposure depends on the price differential between standard and role-restricted pricing. Additionally, unauthorized access to administrator pricing could expose special pricing strategies or cost structures. Reputational risk exists if customers discover that access controls are not enforced fairly.

Affected systems

FOX – Currency Switcher Professional for WooCommerce, all versions up to and including 1.4.6. The vulnerability only has practical impact when the fixed user-role pricing feature is actively enabled on the WooCommerce store and at least one product has a price tier configured for a privileged role (e.g., wholesale customer or administrator).

Exploitability

Exploitability is straightforward for any authenticated user. No special privileges are required to craft a malicious request—a subscriber-level account suffices. The attack requires no user interaction (automatic upon request), occurs over the network, and does not depend on complex configuration. However, the store must have the fixed user-role pricing feature enabled for the exploit to have visible effect. The low bar for authentication and simplicity of manipulation make this a practical threat in multi-tenant or affiliate-based stores where many subscribers exist.

Remediation

Update the FOX – Currency Switcher Professional for WooCommerce plugin to a version released after 1.4.6 (verify against the vendor advisory for the current patched version). The fix should validate the user's role against the authenticated session before applying any role-based pricing logic, rejecting user-supplied role parameters that do not match the real role. As an interim measure, consider disabling the fixed user-role pricing feature if it is not essential to your business model, or restrict subscriber access if possible. Monitor pricing requests for unusual role changes.

Patch guidance

Locate the plugin in your WordPress admin (Plugins > Installed Plugins) and check the current version. If running 1.4.6 or earlier, use the plugin's built-in update mechanism or manually download and install a newer version from the official source once available. After updating, test that role-based pricing still applies correctly for legitimate wholesale or administrator roles, and verify that subscriber-level test accounts can no longer access privileged pricing. Verify against the vendor advisory or FOX plugin release notes for the specific version number that resolves this issue.

Detection guidance

Monitor HTTP request logs for repeated or suspicious `wooc_order_user_roles` parameter values that do not match the authenticated user's actual role. Log access to pricing endpoints with role mismatch alerts. Use your WAF or security plugin to flag requests where the role parameter differs from the session-derived role. Check for sudden pricing adjustments or discounts applied to subscriber-level accounts that should not qualify. Audit order data for pricing anomalies—orders by low-privilege users at discounted rates intended for wholesale. Enable query logging in WooCommerce to capture role-based pricing decisions.

Why prioritize this

Although marked Medium severity, this vulnerability warrants prompt attention for e-commerce operators because it directly threatens revenue through unauthorized discounting. The low attack complexity and authentication requirement (satisfied by any subscriber) make it exploitable at scale, especially in stores with high subscriber volume. The impact is limited to pricing integrity rather than data breach or system compromise, which explains the moderate CVSS score, but the cumulative financial exposure across many transactions can be significant. Stores relying heavily on tiered pricing for margin management should treat this as higher priority.

Risk score, explained

The CVSS 3.1 score of 4.3 (Medium) reflects a network-accessible vulnerability requiring user authentication with low privileges, causing low integrity impact (unauthorized pricing access) with no confidentiality or availability impact. The score does not account for frequency of exploitation in the wild or business context; it captures technical exploitability and scope. For businesses where pricing controls are a key financial control, risk tolerance may be higher than the CVSS score suggests, warranting faster patching than the baseline Medium designation might imply.

Frequently asked questions

Do I need to worry about this if I don't use the fixed user-role pricing feature?

No. This vulnerability only manifests when the fixed user-role pricing feature is enabled and at least one product has a price configured for a privileged role. If your store does not use role-based pricing, the vulnerable code is not executed in a way that impacts transactions.

Can attackers use this to access order history, customer data, or other sensitive information?

No. This vulnerability is limited to authorization bypass for pricing logic. It does not grant access to customer data, order history, or admin functions. The attacker can only manipulate the role context used to calculate pricing; they cannot read or modify data outside the pricing calculation.

What versions of WordPress and WooCommerce are affected?

The vulnerability affects the FOX – Currency Switcher Professional plugin itself, versions up to 1.4.6. It should impact any WordPress and WooCommerce installation running the vulnerable plugin version, regardless of the WordPress or WooCommerce version, though you should ensure your WordPress and WooCommerce are themselves up to date as part of routine security maintenance.

If I update the plugin, will my existing pricing configuration be preserved?

Yes. Updates to the plugin typically preserve your settings and pricing tiers. After updating, verify in the plugin settings that your role-based pricing rules are still in place and functioning correctly for legitimate users. A brief test with subscriber and administrator accounts is recommended.

This analysis is provided for informational purposes and is based on the CVE record and public disclosure. No exploit code or weaponized proof-of-concept is provided. Organizations must verify patch availability and version numbers against official vendor advisories before deployment. Testing in a non-production environment is strongly recommended before patching production systems. This assessment does not constitute legal or compliance advice. Your organization's risk tolerance, business context, and legal obligations should inform your remediation timeline and strategy. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).