What the vulnerability does
01Description
The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds.
Explanation of Vulnerability in Simple Terms
02Summary
The Flexible Refund and Return Order plugin for WooCommerce contains an authorization flaw that allows unauthenticated attackers to modify refund and return requests. The vulnerability affects versions up to 1.0.42 and requires no user interaction. Site owners should update immediately to prevent unauthorized changes to order refund statuses.
What an attacker can do
03Attacker Capabilities
Modify refund and return request data without authentication.
Potential impact on your site
04Site Impact
Attackers can alter refund statuses and return order details, potentially causing financial loss and customer disputes.
Conditions required to exploit
05Prerequisites
Network access to the site; no authentication or user interaction required.
Key dates
06Disclosure timeline
November 8, 2025
CVE published
April 8, 2026
Record updated