CVE-2025-2169 – The WPCS WordPress Currency Switcher Profession... (How to Fix)

Q: What is the severity of CVE-2025-2169?

CVE-2025-2169 has a CVSS score of 7.3 (HIGH). The WPCS WordPress Currency Switcher Professional plugin up to version 1.2.0.4 allows unauthenticated attackers to execute arbitrary WordPress shortcodes due to insufficient input validation. This vulnerability affects all WordPress sites using the vulnerable plugin versions. Attackers can leverage this to execute malicious code or access restricted functionality.

📋 TL;DR

The WPCS WordPress Currency Switcher Professional plugin up to version 1.2.0.4 allows unauthenticated attackers to execute arbitrary WordPress shortcodes due to insufficient input validation. This vulnerability affects all WordPress sites using the vulnerable plugin versions. Attackers can leverage this to execute malicious code or access restricted functionality.

💻 Affected Systems

Products:

WPCS - WordPress Currency Switcher Professional

Versions: All versions up to and including 1.2.0.4

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations with the vulnerable plugin are affected regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary PHP code through shortcodes, leading to complete site compromise, data theft, or server takeover.

🟠

Likely Case

Attackers execute existing WordPress shortcodes to access sensitive information, modify content, or perform unauthorized actions.

🟢

If Mitigated

With proper input validation and shortcode filtering, impact is limited to non-critical functionality exposure.

🌐 Internet-Facing: HIGH - Unauthenticated exploitation makes all public-facing WordPress sites with the vulnerable plugin immediately at risk.

🏢 Internal Only: MEDIUM - Internal WordPress installations are still vulnerable but have reduced attack surface from external actors.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires knowledge of WordPress shortcodes but is straightforward once understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 1.2.0.4

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3253183%40currency-switcher&new=3253183%40currency-switcher

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find 'WPCS - WordPress Currency Switcher Professional'. 4. Click 'Update Now' if available. 5. If no update appears, manually download latest version from WordPress repository and replace plugin files.

🔧 Temporary Workarounds

Disable vulnerable plugin

WordPress

Temporarily disable the WPCS Currency Switcher plugin until patched

wp plugin deactivate currency-switcher

Restrict access to vulnerable endpoint

Apache

Use web application firewall or .htaccess to block access to the vulnerable action

# Add to .htaccess: RewriteCond %{QUERY_STRING} action=wccs_ajax [NC] RewriteRule ^ - [F]

🧯 If You Can't Patch

Remove the WPCS Currency Switcher plugin completely from the WordPress installation
Implement strict input validation for all shortcode execution functions in custom code

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > WPCS Currency Switcher version. If version is 1.2.0.4 or lower, you are vulnerable.

Check Version:

wp plugin get currency-switcher --field=version

Verify Fix Applied:

Verify plugin version is higher than 1.2.0.4. Check the plugin code at line 1920 (or similar) for proper input validation before do_shortcode() calls.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to WordPress with 'action=wccs_ajax' parameter
Unexpected shortcode execution in WordPress debug logs
Multiple failed shortcode execution attempts

Network Indicators:

HTTP requests containing shortcode syntax in parameters
Unusual traffic patterns to WordPress ajax endpoints

SIEM Query:

source="wordpress.log" AND ("action=wccs_ajax" OR "do_shortcode" OR "[shortcode_name]")

📊 Metadata

CVE ID: CVE-2025-2169

CVSS v3 Score: 7.3 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-94

EPSS Score: 1.89% exploit probability (82.9th percentile)

Published: March 11, 2025

Last Updated: March 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-2169, you might also want to check these: