The vulnerability in the Hide Category by User Role for WooCommerce plugin allows unauthenticated attackers to trigger wp_cache_flush() during the admin_init hook, because the code lacks a capability check. This action removes all cached objects from the WordPress object cache, causing immediate performance degradation on the site. The attack does not provide code execution, data exfiltration, or direct compromise of system integrity, but it can lead to slower page loads and repeated resource strain.

All installations of the Hide Category by User Role for WooCommerce plugin supplied by themesupport, version 2.3.1 or earlier, are affected. The flaw is confined to the plugin’s core code and does not rely on vulnerabilities in WordPress itself. Sites running any of these affected plugin versions are at risk.

The CVSS score of 5.3 reflects a moderate impact focused on availability. An EPSS score of less than 1% implies a very low likelihood of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The lack of authentication checks permits any web user—without requiring login—to send crafted requests that invoke wp_cache_flush, which can repeatedly purge the cache. While the direct damage is limited to service disruption, repeated cache purges can accumulate to a denial‑of‑service effect.