CVE-2024-1807 in Product Sort and Display for WooCommerce Plugin
Summary
by MITRE • 04/02/2024
The Product Sort and Display for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the psad_update_product_cat_custom_meta_ajax function in all versions up to, and including, 2.4.1. This makes it possible for unauthenticated attackers to hide product categories.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 04/14/2026
The vulnerability identified as CVE-2024-1807 affects the Product Sort and Display for WooCommerce plugin, a widely used WordPress extension that manages product category sorting and display functionalities. This plugin serves as a critical component in e-commerce websites relying on WooCommerce for their online store operations, making its security implications particularly significant for retail and commerce platforms. The flaw exists within the plugin's handling of custom meta data for product categories, specifically in the psad_update_product_cat_custom_meta_ajax function that processes AJAX requests for updating category metadata.
The technical weakness stems from a critical missing capability check within the plugin's codebase, which fails to verify user permissions before executing modifications to product category data. This absence of proper authentication validation creates an unauthorized access vector where any attacker can exploit the vulnerability without requiring valid credentials or administrative privileges. The vulnerability is classified as a privilege escalation issue under CWE-284, which specifically addresses inadequate access control mechanisms that allow unauthorized users to perform actions beyond their intended permissions. The flaw manifests when the psad_update_product_cat_custom_meta_ajax function processes incoming AJAX requests, bypassing the standard WordPress capability checks that should verify whether the requesting user has sufficient privileges to modify product category information.
The operational impact of this vulnerability extends beyond simple data modification, as it allows attackers to manipulate the visibility and presentation of product categories within the WooCommerce store. An attacker can exploit this flaw to hide product categories from customers, potentially affecting sales conversion rates and customer experience. This manipulation capability can be leveraged for various malicious activities including information warfare, competitive advantage disruption, or creating confusion among customers. The vulnerability particularly affects e-commerce platforms where product categorization plays a crucial role in user navigation and sales optimization. According to ATT&CK framework category T1068, this vulnerability represents an unauthorized access technique that allows adversaries to leverage existing user privileges or create new ones, while T1499 covers the potential for data manipulation that could impact business operations and customer trust.
Mitigation strategies for CVE-2024-1807 require immediate attention from system administrators and security teams managing affected WordPress installations. The most effective immediate solution involves updating to the latest version of the Product Sort and Display for WooCommerce plugin where the capability check has been properly implemented. Organizations should also implement network-level monitoring to detect unusual AJAX request patterns that might indicate exploitation attempts. Security measures including role-based access controls, regular security audits, and plugin vulnerability scanning should be enhanced to prevent similar issues. Additionally, implementing web application firewalls and restricting access to administrative endpoints can provide defense-in-depth protection. The vulnerability underscores the importance of proper input validation and capability checks in WordPress plugin development, aligning with security best practices outlined in the OWASP Top Ten and WordPress security hardening guidelines. Regular patch management processes should be reinforced to ensure timely application of security updates and prevent exploitation of known vulnerabilities in third-party components.