CVE-2025-13441 MEDIUM

CVE-2025-13441: Hide Category by User Role for WooCommerce <= 2.3.1 - Missing Authorization to Unauthenticated Cache Flushing

Vendor Themesupport
Product Hide Category by User Role for WooCommerce
Weakness CWE-862 · Missing authorization
Published November 27, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Hide Category by User Role for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.1. This is due to a missing capability check on the admin_init hook that executes wp_cache_flush(). This makes it possible for unauthenticated attackers to flush the site's object cache via forged requests, potentially degrading site performance.

Explanation of Vulnerability in Simple Terms

02Summary

The Hide Category by User Role for WooCommerce plugin through version 2.3.1 lacks proper authorization checks on category visibility rules. An attacker without authentication can modify which product categories are hidden or shown to different user roles, potentially exposing restricted product listings or hiding categories from intended audiences. This affects the plugin's core access control functionality.

What an attacker can do

03Attacker Capabilities

Change which product categories are visible or hidden for different user roles without logging in.

Potential impact on your site

04Site Impact

Product category visibility rules can be altered by unauthenticated visitors, breaking intended access restrictions.

Conditions required to exploit

05Prerequisites

Network access to the WordPress site; no authentication or user interaction required.

Key dates

06Disclosure timeline

November 27, 2025 CVE published
April 8, 2026 Record updated

Related vulnerabilities

08Related CVE