Arbitrary Shortcode Execution Vulnerability in WPCS - WordPress Currency Switcher Professional
CVE-2025-2169

7.3HIGH

Key Information:

Vendor: WordPress
Status: WPcs – WordPress Currency Switcher Professional
Vendor: CVE Published:; 11 March 2025

What is CVE-2025-2169?

The WPCS - WordPress Currency Switcher Professional plugin is susceptible to arbitrary shortcode execution due to insufficient validation of user inputs. This flaw permits unauthenticated individuals to execute arbitrary shortcodes, potentially compromising website integrity and security. This vulnerability affects all versions up to and including 1.2.0.4, highlighting the necessity for users to implement immediate updates and security measures.

Affected Version(s)

WPCS – WordPress Currency Switcher Professional * <= 1.2.0.4

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/currency-switc...

https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:

7.3

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 11, 2025
Vulnerability Reserved
Mar 10, 2025

Credit

Arkadiusz Hydzik