The FOX – Currency Switcher Professional for WooCommerce plugin suffers from a missing capability check in its 'admin_head' function across all versions up to 1.4.5. This flaw permits authenticated users with Contributor or higher privileges to trigger deletion of the multi-currency configuration by visiting any wp-admin page with the 'woocs_reset' parameter. The absence of nonce verification allows CSRF attacks targeting administrators. Furthermore, Subscriber-level users can exploit this if they have wp-admin access. The vulnerability is tracked as CWE-862 (Missing Authorization) and has a CVSS 3.1 base score of 8.1, indicating high severity with network attack vector, low attack complexity, and no user interaction required.

Exploitation results in the complete deletion of the multi-currency configuration within the plugin, causing loss of configuration data and potentially disrupting e-commerce operations relying on currency switching. The vulnerability can be triggered remotely by authenticated users with Contributor-level access or higher, and via CSRF attacks against administrators. Subscriber-level users may also exploit it if granted wp-admin access. There is no indication of confidentiality impact, but integrity and availability are severely affected.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is available, restrict wp-admin access to trusted users only and avoid granting Contributor or higher roles to untrusted users. Implement web application firewall (WAF) rules to detect and block requests containing the 'woocs_reset' parameter. Monitor for suspicious activity related to this parameter. Follow the vendor's official channels for updates and apply any released patches promptly.