What the vulnerability does
01Description
The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit refund requests for arbitrary orders that they do not own.
Explanation of Vulnerability in Simple Terms
02Summary
The Flexible Refund and Return Order plugin for WooCommerce contains an authorization flaw that allows authenticated users to modify refund or return data they should not have access to. An attacker with a low-privilege account can alter order refund states or return statuses through direct requests. This affects all versions up to 1.0.38. Site owners should update to a version newer than 1.0.38 when available.
What an attacker can do
03Attacker Capabilities
Modify refund or return order data belonging to other users or orders.
Potential impact on your site
04Site Impact
Refund and return records can be tampered with, leading to financial discrepancies and customer disputes.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WooCommerce account (e.g., customer or shop manager role).
Key dates
06Disclosure timeline
October 22, 2025
CVE published
April 8, 2026
Record updated