Description
The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds.
Published: 2025-11-08
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Refund Status Manipulation
Action: Patch
AI Analysis

Impact

The Flexible Refund and Return Order for WooCommerce plugin contains a misconfigured capability check in its create_refund function. Consequently, any user with Contributor level access or higher can alter the status of refund requests, allowing an attacker to approve or reject refunds without permission. This flaw is a classic example of a missing authorization vulnerability (CWE-863) and compromises data integrity by enabling the manipulation of financial records.

Affected Systems

All installations of wpdesk Flexible Refund and Return Order for WooCommerce version 1.0.42 and earlier are affected. These are WordPress plugins that extend WooCommerce on e‑commerce sites. Any WooCommerce store that has installed an affected version of the plugin must assess whether it is vulnerable.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, while an EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog, which further reduces perceived risk. Attackers would need authenticated access with at least Contributor privileges to exploit this flaw, making the primary attack vector authenticated. Once authenticated, they could invoke the Ajax endpoint that bypasses the capability check to change refund statuses.

Generated by OpenCVE AI on April 21, 2026 at 18:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Flexible Refund and Return Order for WooCommerce to version 1.0.43 or later, which includes proper capability checks.
  • If an update cannot be applied immediately, restrict Contributor roles from accessing refund actions, either removing the capability or using a role manager plugin to limit their permissions.
  • Audit refund logs for unauthorized status changes and review all approved refunds for consistency with legitimate customer requests.

Generated by OpenCVE AI on April 21, 2026 at 18:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 10 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 10 Nov 2025 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpdesk
Wpdesk flexible Refund And Return Order For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpdesk
Wpdesk flexible Refund And Return Order For Woocommerce

Sat, 08 Nov 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds.
Title Flexible Refund and Return Order for WooCommerce <= 1.0.42 - Incorrect Authorization to Authenticated (Contributor+) Refund Status Update
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpdesk Flexible Refund And Return Order For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:04:26.863Z

Reserved: 2025-11-02T17:25:24.607Z

Link: CVE-2025-12621

cve-icon Vulnrichment

Updated: 2025-11-10T14:10:10.268Z

cve-icon NVD

Status : Deferred

Published: 2025-11-08T08:15:45.023

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12621

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T18:45:06Z

Weaknesses