{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39497", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-04-07T10:47:43.843Z", "datePublished": "2026-04-08T08:30:12.597Z", "dateUpdated": "2026-04-08T08:30:12.597Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "woocommerce-currency-switcher", "product": "FOX", "vendor": "RealMag777", "versions": [{"changes": [{"at": "1.4.6", "status": "unaffected"}], "lessThanOrEqual": "1.4.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "timomangcut | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-08T10:28:58.949Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 FOX woocommerce-currency-switcher allows Blind SQL Injection.<p>This issue affects FOX: from n/a through <= 1.4.5.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 FOX woocommerce-currency-switcher allows Blind SQL Injection.This issue affects FOX: from n/a through <= 1.4.5."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-08T08:30:12.597Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce-currency-switcher/vulnerability/wordpress-fox-plugin-1-4-5-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress FOX plugin <= 1.4.5 - SQL Injection vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 FOX woocommerce-currency-switcher allows Blind SQL Injection.This issue affects FOX: from n/a through <= 1.4.5."}], "id": "CVE-2026-39497", "lastModified": "2026-04-08T21:26:35.910", "metrics": {}, "published": "2026-04-08T09:16:24.090", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce-currency-switcher/vulnerability/wordpress-fox-plugin-1-4-5-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,1.4.5]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "[1.4.6,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "fox", "vendor": "realmag777"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T09:23:25.913682+00:00", "value": {"mitigation_remediation": ["Update the RealMag777 FOX plugin to a version newer than 1.4.5 as soon as it becomes available.", "Verify the plugin version after updating to ensure the patch has been applied.", "If no newer version is released, disable or uninstall the plugin as a temporary measure until a fix is issued.", "Ensure the WordPress database user has the least privileges necessary for normal operation.", "Apply or configure a web application firewall to block suspicious SQL injection patterns.", "Continue to monitor WordPress and database logs for evidence of exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection \u2013 data confidentiality and integrity risk"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all installations of the RealMag777 FOX plugin for WordPress through version 1.4.5, including earlier releases. Any WordPress site using this currency switcher plugin in the specified versions is potentially exposed.", "description_and_impact": "The FOX WooCommerce Currency Switcher plugin contains an SQL injection flaw caused by improper neutralization of special characters in SQL statements. The weakness enables a blind SQL injection attack, allowing an adversary to read or modify sensitive data stored in the WordPress database. This vulnerability aligns with CWE\u201189 and can lead to loss of data confidentiality and integrity.", "risk_and_exploitability": "While a formal CVSS score is not provided, SQL injection is a high\u2011severity vulnerability. Exploitation requires an attacker to supply crafted input via the plugin\u2019s interface, yielding data exfiltration rather than code execution. The lack of an EPSS rating and absence from the KEV catalog suggest limited publicly known exploits at present, but the potential impact remains significant because the database holds transactional and customer data. Site owners should treat this as a priority risk."}}}}, "created": "2026-04-08T19:43:07.270018+00:00", "updated": "2026-04-09T08:22:15.812760+00:00", "vendors": ["realmag777", "realmag777$PRODUCT$fox", "wordpress", "wordpress$PRODUCT$wordpress"]}