CVE-2025-13441
Hide Category by User Role for WooCommerce <= 2.3.1 - Missing Authorization to Unauthenticated Cache Flushing
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 5.3EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —
Ciclo de vida
27 nov 2025Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
The Hide Category by User Role for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 2.3.1. This is due to a missing capability check on the admin_init hook that executes wp_cache_flush(). This makes it possible for unauthenticated attackers to flush the site's object cache via forged requests, potentially degrading site performance.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Produtos afetados
themesupport · Hide Category by User Role for WooCommerceQuer saber se a sua infraestrutura está exposta a isto?
Falar com a TrueHacking →Referências
https://plugins.trac.wordpress.org/browser/hide-category-by-user-role-for-woocommerce/tags/2.3.1/admin/admin-ui-setup.php#L165https://plugins.trac.wordpress.org/browser/hide-category-by-user-role-for-woocommerce/trunk/admin/admin-ui-setup.php#L165https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3402760%40hide-category-by-user-role-for-woocommerce&new=3402760%40hide-category-by-user-role-for-woocommerce&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/b05b0f6d-ffa4-40f4-b969-1153192c52d6?source=cve