CVE-2026-39497
Published: 08 April 2026
Summary
CVE-2026-39497 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2026-39497 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability that enables Blind SQL Injection in the RealMag777 FOX woocommerce-currency-switcher WordPress plugin. The issue affects FOX plugin versions from an unspecified starting point through 1.4.5 and was published on 2026-04-08.
The vulnerability carries a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L), indicating exploitation over the network with low attack complexity, requiring high privileges, and no user interaction. High-privileged attackers can leverage this to achieve high confidentiality impact through data extraction via blind SQL techniques, with a changed scope, no integrity impact, and low availability impact.
Mitigation details are provided in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/woocommerce-currency-switcher/vulnerability/wordpress-fox-plugin-1-4-5-sql-injection-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-20164
Vulnerability details
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in RealMag777 FOX woocommerce-currency-switcher allows Blind SQL Injection.This issue affects FOX: from n/a through <= 1.4.5.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection vulnerability in public-facing WordPress plugin directly enables exploitation of public-facing applications (T1190) and facilitates blind data extraction from the database (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of information inputs to prevent improper neutralization of special elements leading to blind SQL injection in the FOX plugin.
Mandates timely flaw remediation, including patching the vulnerable FOX woocommerce-currency-switcher plugin versions up to 1.4.5 to eliminate the SQL injection vulnerability.
Boundary protection with web application firewalls monitors and filters network traffic for SQL injection patterns, mitigating remote exploitation of this vulnerability.