The vulnerable plugin function allows a logged‑in user with subscriber or higher privileges to submit a refund request for any order, regardless of ownership, exposing the store to potential financial loss through unauthorized refunds. The flaw is a missing authorization check, which enables an attacker who can authenticate to exploit the vulnerability and trigger arbitrary refunds. The reported weakness is identified as CWE‑639 and has a CVSS score of 4.3, indicating a moderate severity.

The issue affects the Flexible Refund and Return Order for WooCommerce plugin from wpdesk, in all versions up to and including version 1.0.38. Users running these versions on WordPress installations are susceptible until they apply a patch or upgrade to a fixed version.

With the EPSS score below 1% and no listing in the CISA KEV catalog, the likelihood of exploitation in the wild appears low, and the attack vector requires the attacker to possess a valid authenticated user account with subscriber-level access or higher. The exploitation would enable the attacker to create refund entries for arbitrary orders, potentially resulting in financial loss for the merchant. The CVSS score of 4.3 reflects the impact of the flaw on confidentiality and integrity, while the limited exploitation probability suggests that immediate, active monitoring might suffice until a patch becomes available.