CVE-2025-10570 MEDIUM

CVE-2025-10570: Flexible Refund and Return Order for WooCommerce <= 1.0.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Refund

Vendor Wpdesk
Product Flexible Refund and Return Order for WooCommerce
Weakness CWE-639 · IDOR
Published October 22, 2025
Last update April 8, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit refund requests for arbitrary orders that they do not own.

Explanation of Vulnerability in Simple Terms

02Summary

The Flexible Refund and Return Order plugin for WooCommerce contains an authorization flaw that allows authenticated users to modify refund or return data they should not have access to. An attacker with a low-privilege account can alter order refund states or return statuses through direct requests. This affects all versions up to 1.0.38. Site owners should update to a version newer than 1.0.38 when available.

What an attacker can do

03Attacker Capabilities

Modify refund or return order data belonging to other users or orders.

Potential impact on your site

04Site Impact

Refund and return records can be tampered with, leading to financial discrepancies and customer disputes.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WooCommerce account (e.g., customer or shop manager role).

Key dates

06Disclosure timeline

October 22, 2025 CVE published
April 8, 2026 Record updated