CVE-2025-2169

CVE-2025-2169 is an arbitrary shortcode execution vulnerability affecting the WPCS – WordPress Currency Switcher Professional plugin for WordPress in all versions up to and including 1.2.0.4. The issue stems from the plugin allowing execution of an action that fails to properly validate a value prior to calling the do_shortcode function, enabling unauthenticated attackers to execute arbitrary shortcodes. It has a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and is associated with CWE-94 (Code Injection).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required. By targeting the insufficiently validated input, they can execute arbitrary shortcodes, potentially leading to low-level impacts on confidentiality, integrity, and availability, such as data disclosure, modification, or denial of service depending on the shortcodes invoked.

Advisories reference the WordPress plugin trac repository, including the vulnerable code at index.php line 1920 and changesets 3249625 and 3253183 in the currency-switcher repository, which address the issue. The Wordfence threat intelligence page provides further details on the vulnerability (ID: bbb24ae0-41d6-4d8f-917c-dfd058a7a49d). Mitigation requires updating the plugin to a version beyond 1.2.0.4.