CVE-2026-11778
MediumCVSS 5.4Summary
The CURCY – Multi Currency for WooCommerce plugin for WordPress up to version 2.2.14 is vulnerable to arbitrary shortcode execution by unauthenticated attackers. This is due to insufficient validation before passing a value to the do_shortcode function.
Risk Assessment
An attacker can exploit this vulnerability to execute unauthorized shortcodes, potentially displaying sensitive data or modifying site content, leading to integrity and confidentiality breaches.
Recommendation
Immediately update the CURCY – Multi Currency for WooCommerce plugin to the latest available version that fixes this vulnerability. If no update is available, consider temporarily disabling the plugin.
Original NVD description (English source)
The The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

