Attack Vectors

The medium-severity vulnerability (CVSS 5.3) in YayCurrency – WooCommerce Multi-Currency Switcher (slug: yaycurrency) affects all versions up to and including 3.3 and can be exploited remotely over the internet.

Because the issue allows unauthenticated activity (no login required), an attacker could target any site running a vulnerable version by sending requests designed to trigger arbitrary post deletion.

Security Weakness

CVE-2025-67994 is caused by a missing authorization (capability) check in a plugin function. In practical terms, the plugin does not consistently verify that the requester is allowed to perform destructive actions.

This weak access control can enable unauthorized deletion of WordPress content, even when the attacker has no user account on your site. Severity is rated Medium, but business exposure can be significant depending on how your site is used.

Reference: CVE-2025-67994 record and Wordfence advisory source.

Technical or Business Impacts

Content integrity risk: Unauthorized deletion of posts can remove landing pages, product announcements, legal notices, or campaign content—impacting SEO, conversion rates, and customer trust.

Revenue and operations disruption: If key pages are deleted (e.g., store policies, promotional pages, or support content), marketing performance and customer experience may degrade quickly, increasing support burden and lowering sales.

Compliance and audit concerns: For regulated organizations, unexpected content loss can complicate recordkeeping, approvals, and audit trails—especially if the deleted content relates to disclosures, consent language, or policy statements.

Brand and reputational impact: Visible missing pages or broken links can look like neglect or compromise, which may reduce confidence among customers, partners, and stakeholders.

Recommended action: Update YayCurrency – WooCommerce Multi-Currency Switcher to version 3.3.1 or a newer patched version as soon as practical, and confirm that backups and restore procedures are working in case content needs to be recovered.