What the vulnerability does
01Description
The Hide Category by User Role for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.1. This is due to a missing capability check on the admin_init hook that executes wp_cache_flush(). This makes it possible for unauthenticated attackers to flush the site's object cache via forged requests, potentially degrading site performance.
Explanation of Vulnerability in Simple Terms
02Summary
The Hide Category by User Role for WooCommerce plugin through version 2.3.1 lacks proper authorization checks on category visibility rules. An attacker without authentication can modify which product categories are hidden or shown to different user roles, potentially exposing restricted product listings or hiding categories from intended audiences. This affects the plugin's core access control functionality.
What an attacker can do
03Attacker Capabilities
Change which product categories are visible or hidden for different user roles without logging in.
Potential impact on your site
04Site Impact
Product category visibility rules can be altered by unauthenticated visitors, breaking intended access restrictions.
Conditions required to exploit
05Prerequisites
Network access to the WordPress site; no authentication or user interaction required.
Key dates
06Disclosure timeline
November 27, 2025
CVE published
April 8, 2026
Record updated