Skip to main content

CURCY Multi Currency CVE-2026-11778

| EUVDEUVD-2026-41521 MEDIUM
Code Injection (CWE-94)
2026-07-03 Wordfence GHSA-j638-4r9q-m7mm
5.4
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
vuln.today AI
6.5 MEDIUM

Wordfence's direct code review confirms unauthenticated access, overriding NVD's PR:L; scope unchanged as impact is limited to shortcode output within WordPress.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 09:15 vuln.today
CVE Published
Jul 03, 2026 - 07:53 cve.org
MEDIUM 5.4

DescriptionCVE.org

The The CURCY - Multi Currency for WooCommerce - Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

AnalysisAI

Arbitrary shortcode execution in the CURCY Multi Currency for WooCommerce WordPress plugin (versions up to and including 2.2.14) allows unauthenticated attackers to invoke any registered WordPress shortcode by sending a crafted request to a vulnerable action handler in frontend/cache.php. The root cause is a failure to validate the shortcode value before passing it to do_shortcode(), meaning any shortcode registered on the site - including those that expose user data, perform database queries, or render sensitive page content - can be triggered without authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify target WordPress site running CURCY plugin
Delivery
Send unauthenticated POST to vulnerable cache.php action
Exploit
Supply arbitrary shortcode name as unsanitized parameter
Execution
WordPress do_shortcode() executes attacker-chosen shortcode
Impact
Attacker receives rendered shortcode output containing sensitive data or injected content

Vulnerability AssessmentAI

Exploitation The site must be running WordPress with WooCommerce and the CURCY - Multi Currency for WooCommerce plugin installed and active in version 2.2.14 or earlier. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The official NVD CVSS score of 5.4 (Medium) uses PR:L, implying low-privilege authentication is required, but the Wordfence description explicitly states 'unauthenticated attackers' can exploit this - a direct conflict that significantly affects real-world risk assessment. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends a crafted HTTP POST request to the WordPress AJAX endpoint, supplying a shortcode name (such as one registered by a membership or e-commerce plugin) as the unsanitized parameter in the CURCY plugin's cache action. The plugin passes the value directly to do_shortcode(), which executes the named shortcode and returns its output to the attacker - potentially exposing order details, user data, or other content that the shortcode would normally render in an authenticated or protected context. …
Remediation Update the CURCY - Multi Currency for WooCommerce plugin to a version beyond 2.2.14 once a patched release is published by VillaTheme - no confirmed fixed version is independently available at time of analysis, so monitor the WordPress plugin repository and the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/5a30e5dc-1f15-40ce-9703-1e1add1df6da for release confirmation. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11778 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy