{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39501", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:47:43.844Z", "datePublished": "2026-04-08T08:30:13.172Z", "dateUpdated": "2026-04-10T18:00:49.721Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "woocommerce-currency-switcher", "product": "FOX", "vendor": "RealMag777", "versions": [{"changes": [{"at": "1.4.6", "status": "unaffected"}], "lessThanOrEqual": "1.4.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Que Thanh Tuan | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:29:01.461Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in RealMag777 FOX woocommerce-currency-switcher allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects FOX: from n/a through <= 1.4.5.</p>"}], "value": "Missing Authorization vulnerability in RealMag777 FOX woocommerce-currency-switcher allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FOX: from n/a through <= 1.4.5."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:13.172Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce-currency-switcher/vulnerability/wordpress-fox-plugin-1-4-5-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress FOX plugin <= 1.4.5 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-10T18:00:43.164438Z", "id": "CVE-2026-39501", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:00:49.721Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-39501", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-10T18:00:43.164438Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-10T18:00:33.769Z"}}], "cna": {"title": "WordPress FOX plugin <= 1.4.5 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Que Thanh Tuan | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "RealMag777", "product": "FOX", "versions": [{"status": "affected", "changes": [{"at": "1.4.6", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "1.4.5"}], "packageName": "woocommerce-currency-switcher", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-08T10:29:01.461Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce-currency-switcher/vulnerability/wordpress-fox-plugin-1-4-5-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in RealMag777 FOX woocommerce-currency-switcher allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FOX: from n/a through <= 1.4.5.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in RealMag777 FOX woocommerce-currency-switcher allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects FOX: from n/a through <= 1.4.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:13.172Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39501", "state": "PUBLISHED", "dateUpdated": "2026-04-10T18:00:49.721Z", "dateReserved": "2026-04-07T10:47:43.844Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-04-08T08:30:13.172Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in RealMag777 FOX woocommerce-currency-switcher allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FOX: from n/a through <= 1.4.5."}], "id": "CVE-2026-39501", "lastModified": "2026-04-10T18:16:44.417", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-08T09:16:24.373", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce-currency-switcher/vulnerability/wordpress-fox-plugin-1-4-5-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "fox", "vendor": "realmag777"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:22:44.787019+00:00", "value": {"mitigation_remediation": ["Update the FOX plugin to a version newer than 1.4.5.", "If an update is not immediately possible, remove or disable the plugin to eliminate the attack surface.", "Restrict administrative access to the WordPress backend by limiting IP addresses and enabling two\u2011factor authentication."], "summary": {"action": "Apply Patch", "impact": "Broken Access Control"}, "threat_synthesis": {"affected_systems": "WordPress sites that have installed the RealMag777 FOX plugin, specifically any version up to and including 1.4.5. The plugin is used to manage currency switching on WooCommerce stores, and the flaw exists across all historical releases prior to the stated version limit.", "description_and_impact": "The vulnerability is a missing authorization flaw in the RealMag777 FOX WooCommerce currency switcher plugin. It allows attackers to exploit incorrectly configured access control settings, enabling them to perform actions that should otherwise require higher privileges, such as modifying or deleting currency configurations and other plugin data. This breach could lead to service disruption or unauthorized changes that affect a site\u2019s availability and integrity.", "risk_and_exploitability": "The CVSS score is not provided, and the EPSS score is unavailable, but the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via the WordPress web interface, where an attacker can send crafted requests to the plugin\u2019s endpoints without proper authorization. Because the flaw directly bypasses access controls, exploitation appears straightforward and could be carried out by an unauthenticated or low\u2011privileged user, especially if the WordPress installation is publicly reachable. The potential impact includes unauthorized configuration changes, data leakage, and disruption of e\u2011commerce operations."}}}}, "created": "2026-04-08T19:43:04.845646+00:00", "updated": "2026-04-09T08:22:14.787485+00:00", "vendors": ["realmag777", "realmag777$PRODUCT$fox", "wordpress", "wordpress$PRODUCT$wordpress"]}