CVE-2025-12621 MEDIUM

CVE-2025-12621: Flexible Refund and Return Order for WooCommerce <= 1.0.42 - Incorrect Authorization to Authenticated (Contributor+) Refund Status Update

Vendor Wpdesk
Product Flexible Refund and Return Order for WooCommerce
Weakness CWE-863 · Incorrect authorization
Published November 8, 2025
Last update April 8, 2026

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds.

Explanation of Vulnerability in Simple Terms

02Summary

The Flexible Refund and Return Order plugin for WooCommerce contains an authorization flaw that allows unauthenticated attackers to modify refund and return requests. The vulnerability affects versions up to 1.0.42 and requires no user interaction. Site owners should update immediately to prevent unauthorized changes to order refund statuses.

What an attacker can do

03Attacker Capabilities

Modify refund and return request data without authentication.

Potential impact on your site

04Site Impact

Attackers can alter refund statuses and return order details, potentially causing financial loss and customer disputes.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

November 8, 2025 CVE published
April 8, 2026 Record updated