Skip to main content

WPCS Currency Switcher EUVDEUVD-2026-32184

| CVE-2026-42733 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-27 audit@patchstack.com GHSA-5fwp-297j-vmx7
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
May 27, 2026 - 20:49 vuln.today

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 WPCS currency-switcher allows DOM-Based XSS.This issue affects WPCS: from n/a through <= 1.3.1.

AnalysisAI

DOM-Based cross-site scripting in RealMag777's WPCS (Currency Switcher) WordPress plugin affects all versions through 1.3.1 (EUVD-2026-32184), allowing remote unauthenticated attackers to inject script that executes in a victim's browser when the victim is lured into a crafted interaction. The CVSS:3.1 vector (AV:N/PR:N/UI:R/S:C) reflects network-reachable, no-privilege exploitation that requires user interaction but crosses a security scope boundary. No public exploit identified at time of analysis, and EPSS is very low (0.03%, 10th percentile), indicating little observed real-world targeting.

Technical ContextAI

WPCS (Currency Switcher) is a WordPress plugin from RealMag777 that lets store visitors switch the displayed currency, typically integrating with WooCommerce-style storefronts. The flaw is classed as CWE-79 (Improper Neutralization of Input During Web Page Generation), specifically a DOM-Based variant: untrusted input flows into a client-side sink (e.g., JavaScript writing to the page DOM) without proper neutralization, so the malicious payload is assembled and executed entirely in the browser rather than reflected by the server. Because it is DOM-based, the injection often travels via URL fragments or parameters that client-side script reads, meaning server-side request logging may not capture the payload. No CPE strings were supplied in the input; affected-product identification relies on the EUVD entry (WPCS 0 ≤ 1.3.1) and the Patchstack reference.

RemediationAI

No vendor-released patch version is identified in the available data - the issue is reported as affecting through ≤ 1.3.1 with no confirmed fixed release, so administrators should monitor the WordPress.org plugin page and the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/currency-switcher/vulnerability/wordpress-wpcs-plugin-1-3-1-cross-site-scripting-xss-vulnerability?_s_id=cve) and upgrade to a version above 1.3.1 as soon as one is published. Until a patched release is confirmed, the most effective compensating control is to deactivate and remove the WPCS plugin if currency switching is non-essential, which fully removes the vulnerable client-side code at the cost of losing the currency-switcher feature. As a less disruptive alternative, deploy a WAF or virtual-patch rule (Patchstack and similar offer one) to filter XSS payloads against the plugin's parameters, accepting that DOM-based payloads delivered via URL fragments may evade server-side filtering; additionally enforce a strict Content-Security-Policy to constrain inline/script execution and restrict plugin-related admin pages to trusted users, recognizing CSP can break legitimate inline scripts and require tuning.

Share

EUVD-2026-32184 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy