Curcy Multi Currency For Woocommerce Smoothly On Woocommerce 9 X
Monthly
Arbitrary shortcode execution in the CURCY Multi Currency for WooCommerce WordPress plugin (versions up to and including 2.2.14) allows unauthenticated attackers to invoke any registered WordPress shortcode by sending a crafted request to a vulnerable action handler in frontend/cache.php. The root cause is a failure to validate the shortcode value before passing it to do_shortcode(), meaning any shortcode registered on the site - including those that expose user data, perform database queries, or render sensitive page content - can be triggered without authentication. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, though the low attack complexity and zero-authentication requirement elevate practical risk above what the moderate CVSS score suggests.
Arbitrary shortcode execution in the CURCY Multi Currency for WooCommerce WordPress plugin (versions up to and including 2.2.14) allows unauthenticated attackers to invoke any registered WordPress shortcode by sending a crafted request to a vulnerable action handler in frontend/cache.php. The root cause is a failure to validate the shortcode value before passing it to do_shortcode(), meaning any shortcode registered on the site - including those that expose user data, perform database queries, or render sensitive page content - can be triggered without authentication. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, though the low attack complexity and zero-authentication requirement elevate practical risk above what the moderate CVSS score suggests.