CVE-2025-13441
BaseFortify
Publication date: 2025-11-27
Last updated on: 2025-11-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| woocommerce | woocommerce | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Hide Category by User Role for WooCommerce plugin for WordPress is a Missing Authorization issue. It occurs because the plugin does not properly check user capabilities on the admin_init hook before executing the wp_cache_flush() function. This allows unauthenticated attackers to send forged requests that flush the site's object cache.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to flush the site's object cache, which can degrade site performance. While it does not directly compromise data confidentiality or availability, the performance degradation could affect user experience and site reliability.
What immediate steps should I take to mitigate this vulnerability?
Update the Hide Category by User Role for WooCommerce plugin to a version later than 2.3.1 where the missing authorization check is fixed. Until then, restrict access to the admin_init hook or disable the plugin to prevent unauthenticated cache flush requests.