CVE-2026-11778: CWE-94 Improper Control of Generation of Code ('Code Injection') in villatheme CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x
The CURCY – Multi Currency for WooCommerce – Smoothly plugin for WooCommerce 9.x contains a code injection vulnerability allowing unauthenticated attackers to execute arbitrary shortcodes. This affects all versions up to and including 2.2.14. The issue arises from improper validation before calling do_shortcode, enabling arbitrary shortcode execution.
AI Analysis
Technical Summary
CVE-2026-11778 is a CWE-94 code injection vulnerability in the CURCY – Multi Currency for WooCommerce – Smoothly plugin for WooCommerce 9.x. The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes due to insufficient validation of input before invoking the WordPress do_shortcode function. This affects all plugin versions up to and including 2.2.14. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and limited confidentiality and integrity impact.
Potential Impact
An attacker can execute arbitrary shortcodes without authentication, potentially leading to unauthorized actions or information disclosure within the WordPress environment. The impact is limited to partial confidentiality and integrity loss, with no availability impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are currently available. Until a patch is released, restrict access to plugin functionality and monitor for suspicious shortcode usage. Avoid exposing shortcode execution functionality to unauthenticated users.
CVE-2026-11778: CWE-94 Improper Control of Generation of Code ('Code Injection') in villatheme CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x
Description
The CURCY – Multi Currency for WooCommerce – Smoothly plugin for WooCommerce 9.x contains a code injection vulnerability allowing unauthenticated attackers to execute arbitrary shortcodes. This affects all versions up to and including 2.2.14. The issue arises from improper validation before calling do_shortcode, enabling arbitrary shortcode execution.
CVSS v3.1
Score 5.4medium
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-11778 is a CWE-94 code injection vulnerability in the CURCY – Multi Currency for WooCommerce – Smoothly plugin for WooCommerce 9.x. The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes due to insufficient validation of input before invoking the WordPress do_shortcode function. This affects all plugin versions up to and including 2.2.14. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and limited confidentiality and integrity impact.
Potential Impact
An attacker can execute arbitrary shortcodes without authentication, potentially leading to unauthorized actions or information disclosure within the WordPress environment. The impact is limited to partial confidentiality and integrity loss, with no availability impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. No official fix or patch links are currently available. Until a patch is released, restrict access to plugin functionality and monitor for suspicious shortcode usage. Avoid exposing shortcode execution functionality to unauthenticated users.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-06-09T12:15:26.855Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a47782a27e9c797195c1275
Added to database: 07/03/2026, 08:51:54 UTC
Last enriched: 07/03/2026, 09:06:46 UTC
Last updated: 07/03/2026, 09:35:14 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.