CVE-2021-24566: 
WordPress vulnerability analysis and mitigation

The WooCommerce Currency Switcher FOX WordPress plugin before version 1.3.7 contained a Local File Inclusion (LFI) vulnerability identified as CVE-2021-24566. The vulnerability was discovered during an internal audit by Marc Montpas from Jetpack Scan team and was disclosed on July 22, 2021. This security flaw affected the plugin's 'woocs' shortcode implementation (Jetpack Advisory, WPScan).

The vulnerability stems from improper handling of arguments in the render_html method used by the [woocs] shortcode. The method failed to properly validate inputs before using PHP's extract function, allowing attackers to overwrite the $pagepath variable with arbitrary file paths. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The issue is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) (NVD).

The vulnerability could enable attackers to leak sensitive information such as database credentials and cryptographic keys. In some instances, it could potentially lead to arbitrary code execution. The severity of the issue is heightened because WordPress allows any logged-in users to render shortcodes, regardless of their post-editing privileges (Jetpack Advisory).

The vulnerability was patched in version 1.3.7 of the WooCommerce Currency Switcher plugin. Users running older versions are strongly encouraged to update immediately to the patched version. The fix was released on July 19, 2021, following responsible disclosure to the plugin developers (Jetpack Advisory).