Description
The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the 'wps_rma_cancel_return_request' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other users refund requests.
Published: 2025-11-21
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Insecure Direct Object Reference allowing authenticated users to delete other users' refund requests
Action: Apply Patch
AI Analysis

Impact

The Return Refund and Exchange For WooCommerce plugin contains an insecure direct object reference in the wps_rma_cancel_return_request AJAX endpoint. Because the plugin does not validate the user‑controlled key, any authenticated user with Subscriber or higher privileges can send a request that will delete another user’s refund record. This leads to unauthorized cancellation of refund requests, potentially causing financial loss or customer dissatisfaction. The weakness is classified as CWE‑639.

Affected Systems

The vulnerability affects the Return Refund and Exchange For WooCommerce plugin by wpswings. Versions up to and including 4.5.5 are susceptible. Any WordPress site that has installed these versions of the plugin is at risk.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1% suggests the likelihood of exploitation is very low at present, and the issue is not listed in the CISA KEV catalog. Exploitation requires authentication with at least a Subscriber role and involves sending a crafted AJAX request to the wps_rma_cancel_return_request endpoint. The absence of validation on the request key directly enables the attacker to target other users’ refund records.

Generated by OpenCVE AI on April 22, 2026 at 21:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Return Refund and Exchange For WooCommerce plugin to version 4.5.6 or later, which removes the insecure endpoint.
  • Restrict access to the wps_rma_cancel_return_request AJAX endpoint so that only users with appropriate privileges can invoke it, or disable it entirely if not needed.
  • Implement server‑side validation of refund identifiers so that a user can only cancel requests that belong to them, thereby mitigating the CWE‑639 vulnerability.

Generated by OpenCVE AI on April 22, 2026 at 21:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpswings
Wpswings return Refund And Exchange For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpswings
Wpswings return Refund And Exchange For Woocommerce

Fri, 21 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the 'wps_rma_cancel_return_request' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other users refund requests.
Title Return Refund and Exchange For WooCommerce <= 4.5.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Refund Request Cancellation
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpswings Return Refund And Exchange For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:25.470Z

Reserved: 2025-10-22T18:05:44.982Z

Link: CVE-2025-12086

cve-icon Vulnrichment

Updated: 2025-11-21T14:53:53.770Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T08:15:52.483

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12086

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T21:15:27Z

Weaknesses