Description
Missing Authorization vulnerability in Devteam HaywoodTech Product Rearrange for WooCommerce products-rearrange-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Rearrange for WooCommerce: from n/a through <= 1.2.2.
Published: 2026-03-25
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Patch Immediately
AI Analysis

Impact

The plugin’s configuration management lacks proper authorization checks, allowing an attacker who can craft requests to the plugin’s endpoints to reorder or reposition products without authorization. This flaw is a missing‑authorization weakness that lets unauthorized users perform actions intended for privileged roles.

Affected Systems

Affected systems are WordPress sites running the Devteam HaywoodTech Product Rearrange for WooCommerce plugin through version 1.2.2. The plugin modifies WooCommerce product ordering, and until this version the authorization logic was incomplete, exposing stores to insecure changes.

Risk and Exploitability

With a CVSS score of 8.2 the issue is high severity, but the EPSS score indicates exploitation is unlikely (<1%) and the vulnerability is not listed in the CISA KEV catalog. Likely exploitation would occur via the WordPress admin interface by any authenticated user, so the impact is confined to configuration changes of product arrangement.

Generated by OpenCVE AI on March 26, 2026 at 21:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to the latest release of Product Rearrange for WooCommerce (version 1.2.3 or later) as soon as it becomes available.
  • If an update is not immediately possible, restrict WordPress admin access to a minimal set of trusted users and monitor for unauthorized reorder activity.
  • Verify that the plugin’s reorder endpoints are not accessible to unauthenticated users by testing with a non‑administrator account.
  • Review server and plugin logs regularly for unexpected product reordering and notify site administrators of any suspicious changes.

Generated by OpenCVE AI on March 26, 2026 at 21:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Devteam Haywoodtech
Devteam Haywoodtech product Rearrange For Woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Devteam Haywoodtech
Devteam Haywoodtech product Rearrange For Woocommerce
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Devteam HaywoodTech Product Rearrange for WooCommerce products-rearrange-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Product Rearrange for WooCommerce: from n/a through <= 1.2.2.
Title WordPress Product Rearrange for WooCommerce plugin <= 1.2.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Devteam Haywoodtech Product Rearrange For Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T19:48:34.347Z

Reserved: 2026-03-10T10:59:45.899Z

Link: CVE-2026-31921

cve-icon Vulnrichment

Updated: 2026-03-26T19:46:50.228Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:16:58.913

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-31921

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:14Z

Weaknesses