Severe Vulnerability Patched In WooCommerce Currency Switcher

During an internal audit of the woocommerce-currency-switcher plugin, we uncovered a very severe local file inclusion vulnerability. 

This security flaw could enable attackers to leak sensitive information like database credentials, cryptographic keys, and may allow arbitrary code execution in some instances.

We reported the vulnerabilities to the WOOCS team via email last week, and they released version 1.3.7 to fix this issue. If you are using an older version of this plugin, we encourage you to update immediately.


Plugin Name: WOOCS – WooCommerce Currency Switcher
Plugin URI:

The Vulnerability

Due to the seriousness of this vulnerability, and the number of affected sites, we will delay posting the proof of concept to give users time to upgrade.

Authenticated Local File Inclusion

Affected Versions: < 1.3.7
CVE-ID: CVE-2021-24566
CVSSv3.1: 9.9
CWSS: 96.5

public function render_html($pagepath, $data = array()) {
    return ob_get_clean();

The render_html method, which is used by the [woocs] shortcode to display the currency switcher on a page, does not correctly handle arguments sent to PHP’s extract function. 

    public function woocs_shortcode($args) {
        if (empty($args)) {
            $args = array();
        $args['shortcode_params'] = $args;
        if (isset($args['sd']) AND intval($args['sd']) > 0) {
            wp_enqueue_style('woocs-sd-selectron23', WOOCS_LINK . 'css/sd/selectron23.css', [], WOOCS_VERSION);
            wp_enqueue_script('woocs-sd-selectron23', WOOCS_LINK . 'js/sd/selectron23.js', [], WOOCS_VERSION);
            wp_enqueue_script('woocs-sd-front', WOOCS_LINK . 'js/sd/front.js', ['woocs-sd-selectron23'], WOOCS_VERSION);
            if ($this->shop_is_cached) {
                wp_enqueue_script('woocs-sd-front-cache', WOOCS_LINK . 'js/sd/front-cache.js', ['woocs-sd-front'], WOOCS_VERSION);
            global $WOOCS_SD;
            $args['sd_id'] = intval($args['sd']);
            $args['sd_settings'] = $WOOCS_SD->get(intval($args['sd']));
        return $this->render_html(WOOCS_PATH . 'views/shortcodes/woocs.php', $args);

Since $data contains all of the shortcode’s attributes, $pagepath can be overwritten with arbitrary file paths, which will then be included in the site’s execution context.

Since WordPress allows any logged-in users to render shortcodes, regardless if they have post-editing privileges or not, this is a pretty severe bug. 

Proof of concept

To be released.


2021-07-09 – Initial contact with
2021-07-14 – We sent them details about this vulnerability
2021-07-15 – sendt us a tentative patch, and scheduled release on the 19th
2021-07-19 – WooCommerce Currency Switcher version 1.3.7 was released


We recommend that you check which version of the WooCommerce Currency Switcher plugin you are using on your site, and if it is less than 1.3.7 update it as soon as possible! 

At Jetpack we work hard to make sure your websites are protected from these types of vulnerabilities. To stay one step ahead of any new threats, check out Jetpack Scan, which includes security scanning and automated malware removal.


Original researcher: Marc Montpas

Thanks to the rest of the Jetpack Scan team for feedback, help, and corrections. Also, thanks to for swiftly addressing this issue and releasing the updated version.

This entry was posted in Vulnerabilities. Bookmark the permalink.

Marc Montpas profile
Marc Montpas

Marc’s interests led him to work in the trenches of cybersecurity for the better part of the last decade, notably at companies like Sucuri and GoDaddy. His journey led him to uncover several high-impact security issues while auditing open-source platforms, like WordPress. He’s an avid Hacker Capture The Flag player and loves to hypothesize new attack vectors.

Explore the benefits of Jetpack

Learn how Jetpack can help you protect, speed up, and grow your WordPress site.

Get up to 50% off your first year.

Compare plans

Have a question?

Comments are closed for this article, but we're still here to help! Visit the support forum and we'll be happy to answer any questions.

View support forum
  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 112.3K other subscribers
  • Browse by Topic

  • %d bloggers like this: