Skip to main content

FOX (WooCommerce Currency Switcher) CVE-2026-57319

| EUVDEUVD-2026-39732 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-26 audit@patchstack.com GHSA-874g-hvw2-65jp
7.1
CVSS 3.1 · Vendor: patchstack
Share

Severity by source

Vendor (patchstack) PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
7.1 HIGH

Unauthenticated network-delivered XSS (AV:N/PR:N) requiring victim interaction (UI:R); browser-context script execution crosses scope (S:C) with limited C/I/A impact.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (patchstack).

CVSS VectorVendor: patchstack

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 26, 2026 - 15:52 vuln.today

DescriptionCVE.org

Unauthenticated Cross Site Scripting (XSS) in FOX <= 1.4.8 versions.

AnalysisAI

Reflected/stored cross-site scripting in the FOX - Currency Switcher Professional for WooCommerce WordPress plugin (versions 1.4.8 and earlier) allows unauthenticated remote attackers to inject arbitrary JavaScript that executes in a victim's browser when they interact with a crafted link or page. Because the CVSS scope is marked changed, successful injection can affect resources beyond the vulnerable component, including the broader site session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Craft malicious XSS payload in URL
Delivery
Lure victim to click crafted link
Exploit
Plugin reflects unsanitized input
Execution
Script executes in site origin
Impact
Steal session or perform actions

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim interact with attacker-controlled input - the CVSS vector specifies UI:R, so the target user must load a crafted link or page that reaches the vulnerable FOX plugin output path; the attacker themselves needs no authentication (PR:N) and no special privileges. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are moderate and partially incomplete. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or web content embedding a malicious script that targets the vulnerable FOX plugin parameter, then lures a store visitor or administrator into clicking it (UI:R). When the victim's browser loads the page, the unsanitized input is rendered and the script executes in the site's origin, enabling session cookie theft, account actions, or content manipulation. …
Remediation Update the FOX / WooCommerce Currency Switcher plugin to a version newer than 1.4.8 as soon as the vendor publishes one; a specific fixed version was not provided in the available data, so consult the Patchstack advisory (https://patchstack.com/database/wordpress/plugin/woocommerce-currency-switcher/vulnerability/wordpress-fox-plugin-1-4-8-cross-site-scripting-xss-vulnerability) and the plugin's WordPress.org changelog for the patched release before upgrading. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WooCommerce instances using FOX Currency Switcher Professional and assess whether this plugin is actively serving customer traffic. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57319 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy