CVE-2025-2169: 
WordPress vulnerability analysis and mitigation

The WPCS – WordPress Currency Switcher Professional plugin for WordPress is vulnerable to arbitrary shortcode execution in versions up to and including 1.2.0.4. The vulnerability was discovered and disclosed on March 11, 2025, and has been assigned identifier CVE-2025-2169. This security issue affects the WordPress Currency Switcher plugin, which is used for currency conversion and price display on WordPress websites (NVD).

The vulnerability stems from improper validation of user input before executing the do_shortcode function. The issue exists in the plugin's handling of the 'exclude' parameter, where user input is not properly sanitized before being passed to the shortcode execution function. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.3 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L. The weakness has been classified as CWE-94: Improper Control of Generation of Code (Code Injection) (NVD, WordPress Trac).

The vulnerability allows unauthenticated attackers to execute arbitrary shortcodes on affected WordPress installations. This could potentially lead to unauthorized access to sensitive information, manipulation of website content, and compromise of website functionality (NVD).

The vulnerability has been patched in version 1.2.0.5 of the WordPress Currency Switcher plugin. Site administrators are strongly advised to update to this version immediately. The fix includes proper sanitization of the 'exclude' parameter and implementation of additional security checks (WordPress Trac).