Login Sign Up

CVE-2021-24566

8.8 HIGH

📋 TL;DR

The WooCommerce Currency Switcher FOX WordPress plugin before version 1.3.7 contains a Local File Inclusion (LFI) vulnerability via the 'woocs' shortcode. This allows attackers to read arbitrary files on the server, potentially exposing sensitive configuration files, credentials, or other data. WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:
  • WooCommerce Currency Switcher FOX WordPress plugin
Versions: All versions before 1.3.7
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects WordPress installations with the vulnerable plugin activated.

📦 What is this software?

Fox Currency Switcher Professional For Woocommerce by Pluginus

View all CVEs affecting Fox Currency Switcher Professional For Woocommerce →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could read sensitive server files like wp-config.php containing database credentials, potentially leading to full site compromise, data theft, or server takeover.

🟠

Likely Case

Attackers read configuration files to obtain database credentials, leading to database access and potential data exfiltration or manipulation.

🟢

If Mitigated

With proper file permissions and security controls, attackers might only be able to read non-sensitive files, limiting the impact.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires the 'woocs' shortcode to be present on a page, but no authentication is needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.3.7

Vendor Advisory: https://jetpack.com/2021/07/22/severe-vulnerability-patched-in-woocommerce-currency-switcher/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find 'WooCommerce Currency Switcher FOX'. 4. Click 'Update Now' if available, or manually update to version 1.3.7+. 5. Verify the plugin version after update.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the plugin until patched

wp plugin deactivate woo-currency-switcher-fox

Remove woocs shortcode usage

all

Remove or replace any instances of the [woocs] shortcode in posts/pages

🧯 If You Can't Patch

  • Implement web application firewall (WAF) rules to block LFI attempts
  • Restrict file system permissions and implement strict file access controls

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin > Plugins > Installed Plugins for 'WooCommerce Currency Switcher FOX' version. If version is below 1.3.7, it's vulnerable.

Check Version:

wp plugin list --name='WooCommerce Currency Switcher FOX' --field=version

Verify Fix Applied:

Verify plugin version shows 1.3.7 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

  • HTTP requests containing 'woocs' parameter with file path traversal patterns (../)
  • Unusual file access patterns in web server logs

Network Indicators:

  • HTTP requests to pages with woocs shortcode containing file path parameters

SIEM Query:

web.url:*woocs* AND (web.uri:*../* OR web.uri:*..\*)

📊 Metadata

CVE ID: CVE-2021-24566
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-22
Published: January 16, 2024
Last Updated: June 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-24566, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)