Back to overview

CVE-2026-11778

MEDIUM
5.4
CVSS 3.1
Description
The The CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 2.2.14. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for unauthenticated attackers to execute arbitrary shortcodes.

Metadata

CVE ID
CVE-2026-11778
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-06-09 12:15 UTC
Published
2026-07-03 07:53 UTC
Last updated
2026-07-03 07:53 UTC
Primary CWE
CWE-94
CWE-94 Improper Control of Generation of Code ('Code Injecti…
Vendor / Product
villatheme / CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x
Sources
cve.org  ·  NVD

Severity & Metrics

5.4 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Affected products (1)
VendorProductPlatformVersions
villatheme CURCY – Multi Currency for WooCommerce – Smoothly on WooCommerce 9.x 0 ≤ 2.2.14
Weakness (CWE)
CWESourceDescription
CWE-94 cna CWE-94 Improper Control of Generation of Code ('Code Injection')
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.4 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Back to overview