Description
Authorization Bypass Through User-Controlled Key vulnerability in YoOhw Studio Order Cancellation & Returns for WooCommerce wc-order-cancellation-return allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Cancellation & Returns for WooCommerce: from n/a through <= 1.1.11.
Published: 2025-12-31
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The issue is an insecure direct object reference in the WooCommerce order cancellation and return functions of the Order Cancellation & Returns for WooCommerce plugin. An attacker who can authenticate to the site can manipulate the order identifiers in the plugin’s requests to cancel or return orders that do not belong to them. The vulnerability is a CWE‑639 style authorization bypass that allows the attacker to perform privileged actions on arbitrary orders, potentially leading to financial loss and compromise of business logic integrity.

Affected Systems

YoOhw Studio’s Order Cancellation & Returns for WooCommerce plugin for WordPress is affected. All releases up through and including version 1.1.11 are vulnerable. If your website runs any of those versions, it is at risk.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% reflects a very low current exploitation probability; the issue is not listed in the CISA KEV catalog. Exploitation requires a logged‑in user to manipulate the order identifier in the cancellation or return request, a straightforward HTTP request to the plugin endpoint. If successful, the attacker bypasses normal authorization checks and can delete or revert any order without restriction.

Generated by OpenCVE AI on April 30, 2026 at 04:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑proposed patch by upgrading the plugin to a fixed release newer than 1.1.11
  • Restrict the cancel and return operations to administrator or privileged roles so that normal customers cannot trigger them
  • Add a check in the plugin’s code to confirm the order ID belongs to the current user before processing the cancellation or return request

Generated by OpenCVE AI on April 30, 2026 at 04:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in YoOhw Studio Order Cancellation &amp; Returns for WooCommerce wc-order-cancellation-return allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Cancellation &amp; Returns for WooCommerce: from n/a through <= 1.1.11. Authorization Bypass Through User-Controlled Key vulnerability in YoOhw Studio Order Cancellation & Returns for WooCommerce wc-order-cancellation-return allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Cancellation & Returns for WooCommerce: from n/a through <= 1.1.11.

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in YoOhw Studio Order Cancellation & Returns for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Cancellation & Returns for WooCommerce: from n/a through 1.1.10. Authorization Bypass Through User-Controlled Key vulnerability in YoOhw Studio Order Cancellation &amp; Returns for WooCommerce wc-order-cancellation-return allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Cancellation &amp; Returns for WooCommerce: from n/a through <= 1.1.11.
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Yoohw Studio
Yoohw Studio order Cancellation & Returns For Woocommerce
Vendors & Products Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Yoohw Studio
Yoohw Studio order Cancellation & Returns For Woocommerce

Wed, 31 Dec 2025 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 31 Dec 2025 16:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in YoOhw Studio Order Cancellation & Returns for WooCommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Order Cancellation & Returns for WooCommerce: from n/a through 1.1.10.
Title WordPress Order Cancellation & Returns for WooCommerce plugin <= 1.1.10 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Woocommerce Woocommerce
Wordpress Wordpress
Yoohw Studio Order Cancellation & Returns For Woocommerce
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:13:02.124Z

Reserved: 2025-06-04T09:42:34.940Z

Link: CVE-2025-49352

cve-icon Vulnrichment

Updated: 2025-12-31T17:33:12.751Z

cve-icon NVD

Status : Deferred

Published: 2025-12-31T17:15:44.267

Modified: 2026-04-28T19:33:01.817

Link: CVE-2025-49352

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T04:30:27Z

Weaknesses