CVE-2024-0201 in Product Expiry for WooCommerce Plugin
Summary
by MITRE • 01/03/2024
The Product Expiry for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_settings' function in versions up to, and including, 2.5. This makes it possible for authenticated attackers, with subscriber-level permissions or above to update plugin settings. CVE-2023-52179 appears to be a duplicate of this issue.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/11/2026
The CVE-2024-0201 vulnerability affects the Product Expiry for WooCommerce plugin, a widely used WordPress extension that manages product expiration dates and related functionalities within e-commerce environments. This security flaw represents a critical authorization bypass issue that undermines the integrity of plugin configurations and potentially exposes sensitive business operations to unauthorized modifications. The vulnerability exists within the plugin's core functionality and affects all versions up to and including 2.5, making it a persistent threat across multiple releases that organizations have failed to address adequately.
The technical flaw stems from a critical missing capability check within the 'save_settings' function of the plugin's codebase. This function, which should require administrative privileges to modify core plugin configurations, fails to validate user permissions properly. Authentication attackers with subscriber-level accounts or higher can exploit this weakness to execute unauthorized modifications to plugin settings, effectively bypassing the intended access controls that should restrict such operations to administrators or users with appropriate privileges. The vulnerability demonstrates a classic authorization bypass pattern that aligns with CWE-285, which specifically addresses insufficient authorization issues in software systems.
The operational impact of this vulnerability extends beyond simple configuration changes, as it creates a persistent backdoor for malicious actors to manipulate critical e-commerce operations. Attackers can potentially disable product expiration features, modify pricing configurations, or alter inventory management settings that directly affect business revenue and customer experience. The vulnerability is particularly dangerous in multi-user WordPress environments where subscribers might have legitimate access to the site but should not possess administrative capabilities. This scenario creates a significant risk for online retailers who rely on automated product expiration workflows to manage inventory, seasonal offerings, and promotional campaigns.
From a cybersecurity perspective, this vulnerability aligns with ATT&CK technique T1078.004, which covers legitimate credentials, as attackers can leverage existing subscriber accounts to gain elevated privileges within the plugin interface. The security implications are compounded by the fact that this vulnerability affects a popular plugin with widespread deployment across WordPress installations, making it an attractive target for automated exploitation campaigns. Organizations running affected versions should immediately implement mitigation strategies including plugin updates, role-based access restrictions, and monitoring for unauthorized configuration changes.
The duplicate CVE-2023-52179 reference indicates that this vulnerability was not properly addressed in previous security assessments, suggesting a pattern of inadequate vulnerability management within the plugin development lifecycle. This oversight represents a failure in proper security testing and code review processes that should have identified and corrected the missing capability check during the development phase. The persistence of such issues in widely deployed plugins highlights the critical importance of regular security audits and the implementation of proper access control mechanisms throughout the software development life cycle. Organizations should prioritize updating to patched versions immediately while implementing additional monitoring controls to detect potential exploitation attempts.