Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Wordfence's direct code review confirms unauthenticated access, overriding NVD's PR:L; scope unchanged as impact is limited to shortcode output within WordPress.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The The CURCY - Multi Currency for WooCommerce - Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.
AnalysisAI
Arbitrary shortcode execution in the CURCY Multi Currency for WooCommerce WordPress plugin (versions up to and including 2.2.14) allows unauthenticated attackers to invoke any registered WordPress shortcode by sending a crafted request to a vulnerable action handler in frontend/cache.php. The root cause is a failure to validate the shortcode value before passing it to do_shortcode(), meaning any shortcode registered on the site - including those that expose user data, perform database queries, or render sensitive page content - can be triggered without authentication. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The site must be running WordPress with WooCommerce and the CURCY - Multi Currency for WooCommerce plugin installed and active in version 2.2.14 or earlier. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The official NVD CVSS score of 5.4 (Medium) uses PR:L, implying low-privilege authentication is required, but the Wordfence description explicitly states 'unauthenticated attackers' can exploit this - a direct conflict that significantly affects real-world risk assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker sends a crafted HTTP POST request to the WordPress AJAX endpoint, supplying a shortcode name (such as one registered by a membership or e-commerce plugin) as the unsanitized parameter in the CURCY plugin's cache action. The plugin passes the value directly to do_shortcode(), which executes the named shortcode and returns its output to the attacker - potentially exposing order details, user data, or other content that the shortcode would normally render in an authenticated or protected context. … |
| Remediation | Update the CURCY - Multi Currency for WooCommerce plugin to a version beyond 2.2.14 once a patched release is published by VillaTheme - no confirmed fixed version is independently available at time of analysis, so monitor the WordPress plugin repository and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/5a30e5dc-1f15-40ce-9703-1e1add1df6da for release confirmation. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-94 – Code Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41521
GHSA-j638-4r9q-m7mm