CVE-2026-9241 realmag777 CVE debrief

Who should care

WordPress site administrators running FOX – Currency Switcher Professional for WooCommerce with role-based pricing enabled; WooCommerce store operators with tiered pricing structures; security teams monitoring for pricing integrity violations in e-commerce platforms

Technical summary

The vulnerability stems from insufficient input validation in the role-based pricing resolution mechanism. The `get_value()` function directly consumes `$_REQUEST['wooc_order_user_roles']` to establish role context, bypassing the authoritative `$user->roles` data from the authenticated session. This architectural weakness enables client-side role specification, violating the security principle that privilege context must be server-authoritative. The attack surface is constrained by the requirement for authenticated access and the prerequisite configuration state (fixed user-role pricing enabled with differential pricing configured).

Defensive priority

medium

Recommended defensive actions

• Update FOX – Currency Switcher Professional for WooCommerce to version 1.4.7 or later
• If immediate patching is not possible, disable the fixed user-role pricing feature until the update can be applied
• Review WooCommerce order logs for anomalous pricing requests that may indicate exploitation attempts
• Implement Web Application Firewall rules to detect and block requests containing manipulated wooc_order_user_roles parameters
• Audit product configurations to identify any privileged-role pricing that could be targeted by this vulnerability

Evidence notes

Vulnerability confirmed via Wordfence security advisory and WordPress plugin repository source code analysis. The vulnerable code path is documented at lines 228-229 of fixed_user_role.php, with the request parameter handling visible at line 2271 of woocs.php. A changeset is available showing remediation activity.

Official resources