Search criteria
4 vulnerabilities found for Flexible Refund and Return Order for WooCommerce by wpdesk
CVE-2025-12621 (GCVE-0-2025-12621)
Vulnerability from nvd – Published: 2025-11-08 07:26 – Updated: 2025-11-10 14:14
VLAI?
Title
Flexible Refund and Return Order for WooCommerce <= 1.0.42 - Incorrect Authorization to Authenticated (Contributor+) Refund Status Update
Summary
The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds.
Severity ?
5.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpdesk | Flexible Refund and Return Order for WooCommerce |
Affected:
* , ≤ 1.0.42
(semver)
|
Credits
Powpy
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12621",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T14:10:09.515297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T14:14:29.598Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Flexible Refund and Return Order for WooCommerce",
"vendor": "wpdesk",
"versions": [
{
"lessThanOrEqual": "1.0.42",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Powpy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the \u0027create_refund\u0027 function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-08T07:26:28.151Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8498c671-b46e-420c-a482-7c6983596753?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/flexible-refund-and-return-order-for-woocommerce/trunk/vendor_prefixed/wpdesk/flexible-refunds-core/src/Integration/Ajax.php#L55"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old=3378649%40flexible-refund-and-return-order-for-woocommerce%2Ftags%2F1.0.42\u0026new=3390898%40flexible-refund-and-return-order-for-woocommerce%2Ftags%2F1.0.43"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-02T17:40:51.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-07T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Flexible Refund and Return Order for WooCommerce \u003c= 1.0.42 - Incorrect Authorization to Authenticated (Contributor+) Refund Status Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12621",
"datePublished": "2025-11-08T07:26:28.151Z",
"dateReserved": "2025-11-02T17:25:24.607Z",
"dateUpdated": "2025-11-10T14:14:29.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10570 (GCVE-0-2025-10570)
Vulnerability from nvd – Published: 2025-10-22 06:40 – Updated: 2025-10-22 15:46
VLAI?
Title
Flexible Refund and Return Order for WooCommerce <= 1.0.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Refund
Summary
The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit refund requests for arbitrary orders that they do not own.
Severity ?
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpdesk | Flexible Refund and Return Order for WooCommerce |
Affected:
* , ≤ 1.0.38
(semver)
|
Credits
Powpy
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10570",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T15:46:36.960489Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T15:46:51.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Flexible Refund and Return Order for WooCommerce",
"vendor": "wpdesk",
"versions": [
{
"lessThanOrEqual": "1.0.38",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Powpy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit refund requests for arbitrary orders that they do not own."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T06:40:59.103Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd9b6575-f49b-4586-a716-69d39242423d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3375005/flexible-refund-and-return-order-for-woocommerce"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-30T15:25:42.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-21T17:57:53.000+00:00",
"value": "Disclosed"
}
],
"title": "Flexible Refund and Return Order for WooCommerce \u003c= 1.0.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Refund"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10570",
"datePublished": "2025-10-22T06:40:59.103Z",
"dateReserved": "2025-09-16T16:19:08.622Z",
"dateUpdated": "2025-10-22T15:46:51.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-12621 (GCVE-0-2025-12621)
Vulnerability from cvelistv5 – Published: 2025-11-08 07:26 – Updated: 2025-11-10 14:14
VLAI?
Title
Flexible Refund and Return Order for WooCommerce <= 1.0.42 - Incorrect Authorization to Authenticated (Contributor+) Refund Status Update
Summary
The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds.
Severity ?
5.3 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpdesk | Flexible Refund and Return Order for WooCommerce |
Affected:
* , ≤ 1.0.42
(semver)
|
Credits
Powpy
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12621",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-10T14:10:09.515297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-10T14:14:29.598Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Flexible Refund and Return Order for WooCommerce",
"vendor": "wpdesk",
"versions": [
{
"lessThanOrEqual": "1.0.42",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Powpy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the \u0027create_refund\u0027 function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-08T07:26:28.151Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8498c671-b46e-420c-a482-7c6983596753?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/flexible-refund-and-return-order-for-woocommerce/trunk/vendor_prefixed/wpdesk/flexible-refunds-core/src/Integration/Ajax.php#L55"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?old=3378649%40flexible-refund-and-return-order-for-woocommerce%2Ftags%2F1.0.42\u0026new=3390898%40flexible-refund-and-return-order-for-woocommerce%2Ftags%2F1.0.43"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-02T17:40:51.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-11-07T00:00:00.000+00:00",
"value": "Disclosed"
}
],
"title": "Flexible Refund and Return Order for WooCommerce \u003c= 1.0.42 - Incorrect Authorization to Authenticated (Contributor+) Refund Status Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12621",
"datePublished": "2025-11-08T07:26:28.151Z",
"dateReserved": "2025-11-02T17:25:24.607Z",
"dateUpdated": "2025-11-10T14:14:29.598Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-10570 (GCVE-0-2025-10570)
Vulnerability from cvelistv5 – Published: 2025-10-22 06:40 – Updated: 2025-10-22 15:46
VLAI?
Title
Flexible Refund and Return Order for WooCommerce <= 1.0.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Refund
Summary
The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit refund requests for arbitrary orders that they do not own.
Severity ?
4.3 (Medium)
CWE
- CWE-639 - Authorization Bypass Through User-Controlled Key
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| wpdesk | Flexible Refund and Return Order for WooCommerce |
Affected:
* , ≤ 1.0.38
(semver)
|
Credits
Powpy
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-10570",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-22T15:46:36.960489Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T15:46:51.276Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Flexible Refund and Return Order for WooCommerce",
"vendor": "wpdesk",
"versions": [
{
"lessThanOrEqual": "1.0.38",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Powpy"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit refund requests for arbitrary orders that they do not own."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639 Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-22T06:40:59.103Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd9b6575-f49b-4586-a716-69d39242423d?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3375005/flexible-refund-and-return-order-for-woocommerce"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-09-30T15:25:42.000+00:00",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2025-10-21T17:57:53.000+00:00",
"value": "Disclosed"
}
],
"title": "Flexible Refund and Return Order for WooCommerce \u003c= 1.0.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Refund"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-10570",
"datePublished": "2025-10-22T06:40:59.103Z",
"dateReserved": "2025-09-16T16:19:08.622Z",
"dateUpdated": "2025-10-22T15:46:51.276Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}