Description
The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the wps_rma_fetch_order_msgs() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read other user's order messages.
Published: 2025-11-21
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Order Data Disclosure
Action: Apply Patch
AI Analysis

Impact

The Return Refund and Exchange For WooCommerce plugin contains an insecure direct object reference that allows authenticated users with Subscriber-level access or higher to read order messages belonging to other users. The flaw arises due to missing validation on a key passed to the wps_rma_fetch_order_msgs() function, enabling a confidentiality breach by exposing sensitive messages tied to customer orders. This can lead to an attacker learning personal or financial details associated with the orders without needing to compromise the system at a higher privilege level.

Affected Systems

The vulnerability impacts the WordPress plugin "Return Refund and Exchange For WooCommerce" developed by wpswings, affecting all released versions up to and including 4.5.5. The affected code path allows any authenticated Subscriber or higher role to exploit the insecure direct object reference.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. The EPSS score of < 1% suggests a low likelihood of exploitation in the near term. The vulnerability is not listed in CISA KEV, implying it has not been widely observed in the wild. Attackers would need to be authenticated on the target site, and the exploit path is local/internal, yet the potential for data leakage remains significant for businesses handling customer order information.

Generated by OpenCVE AI on April 22, 2026 at 00:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Return Refund and Exchange For WooCommerce plugin to the latest version available from the vendor, which includes a fix for the insecure direct object reference.
  • If an immediate update is not possible, restrict the Subscriber role from accessing the order message interface or enforce stricter role-based access controls within the plugin configuration.
  • Apply a web application firewall rule or use the WordPress REST API security plugin to block unauthenticated or unauthorized requests targeting the wps_rma_fetch_order_msgs() endpoint.

Generated by OpenCVE AI on April 22, 2026 at 00:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 24 Nov 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Wpswings
Wpswings return Refund And Exchange For Woocommerce
Vendors & Products Wordpress
Wordpress wordpress
Wpswings
Wpswings return Refund And Exchange For Woocommerce

Fri, 21 Nov 2025 07:45:00 +0000

Type Values Removed Values Added
Description The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the wps_rma_fetch_order_msgs() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read other user's order messages.
Title Return Refund and Exchange For WooCommerce <= 4.5.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Order Message Read
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
Wpswings Return Refund And Exchange For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:11:23.231Z

Reserved: 2025-11-07T16:19:02.823Z

Link: CVE-2025-12881

cve-icon Vulnrichment

Updated: 2025-11-21T16:16:32.683Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T08:15:54.177

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12881

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T00:45:04Z

Weaknesses