CVE-2023-6556 in FOX Plugin
Summary
by MITRE • 01/11/2024
The FOX – Currency Switcher Professional for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via currency options in all versions up to, and including, 1.4.1.5 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/11/2026
The vulnerability identified as CVE-2023-6556 affects the FOX – Currency Switcher Professional for WooCommerce plugin, a widely used WordPress extension that enables currency switching functionality for online stores. This plugin operates within the WordPress ecosystem and integrates with WooCommerce to provide multi-currency support for e-commerce transactions. The vulnerability exists in versions up to and including 1.4.1.5, making it a significant concern for WordPress site administrators who rely on this plugin for their online commerce operations. The flaw resides in the plugin's handling of currency options, specifically where user input is not properly sanitized before being stored in the database and subsequently displayed on web pages.
The technical implementation of this vulnerability stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase. When authenticated users with subscriber-level access or higher attempt to modify currency settings, the plugin fails to properly validate or escape the input data before storing it. This insufficient sanitization creates a persistent cross-site scripting vector where malicious scripts can be stored in the database and executed whenever any user accesses pages containing the compromised currency options. The vulnerability is classified as stored XSS because the malicious payload is permanently saved and executed during subsequent page requests rather than being reflected in a single HTTP response.
From an operational perspective, this vulnerability poses a substantial risk to WordPress sites utilizing the affected plugin. Attackers with subscriber-level access can exploit this weakness to inject malicious JavaScript code that could perform various malicious activities including session hijacking, redirecting users to phishing sites, stealing sensitive information, or defacing the website. The impact extends beyond individual user sessions as the stored payload affects all users who access pages containing the compromised currency data. This vulnerability particularly threatens e-commerce sites where users may have elevated privileges or where subscriber accounts are easily accessible, as it could lead to complete compromise of the site's integrity and user data.
The security implications of this vulnerability align with CWE-79 which describes Cross-Site Scripting vulnerabilities, and can be mapped to ATT&CK technique T1566.001 for the initial compromise through malicious web content. Organizations should immediately implement mitigations including updating to the latest version of the plugin where the vulnerability has been patched, implementing proper input validation and output escaping measures, and monitoring for any suspicious activities related to currency settings modifications. Additionally, administrators should consider implementing web application firewalls, restricting unnecessary user privileges, and conducting regular security audits of WordPress plugins to prevent similar vulnerabilities from affecting their digital infrastructure. The vulnerability demonstrates the critical importance of proper input sanitization in web applications and highlights the need for continuous security testing and patch management processes.