What the vulnerability does
01Description
The Refund Request for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_refund_status' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update refund statuses to approved or rejected.
Explanation of Vulnerability in Simple Terms
02Summary
The Refund Request for WooCommerce plugin through version 1.0 lacks proper authorization checks on refund request operations. A logged-in user with low privileges can modify or create refund requests they should not have access to. The vulnerability does not expose sensitive data or cause service disruption, but allows unauthorized changes to refund records.
What an attacker can do
03Attacker Capabilities
Modify or create refund requests without proper authorization.
Potential impact on your site
04Site Impact
Refund records can be altered by unauthorized users, risking financial disputes and order integrity.
Conditions required to exploit
05Prerequisites
Attacker must be logged in as a low-privilege user (e.g., customer account).
Key dates
06Disclosure timeline
November 25, 2025
CVE published
April 8, 2026
Record updated