Volerion logoVolerion
Volerion logoVolerion

Return Refund and Exchange for WooCommerce Insecure Direct Object Reference Vulnerability

Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the Return Refund and Exchange for WooCommerce plugin, specifically in versions through 4.4.5. This vulnerability arises from inadequate validation of user-controlled keys, enabling unauthenticated attackers to manipulate various aspects of the refund process. Exploitation could lead to overwriting refund-related image attachments, modifying refund request messages, altering order communication, and accessing order messages from other users.

Impact

Exploitation of this vulnerability allows for unauthorized modification of refund requests and order messages, including attached images, potentially leading to misuse of the refund process and manipulation of order-related communications.

Reproduction

The vulnerability can be reproduced by sending a request to the WordPress site with a user-controlled key that is not properly validated. This can be done by an unauthenticated user, taking advantage of the missing validation to access and modify refund requests and order messages of other users.

Remediation

Users are advised to update the Return Refund and Exchange for WooCommerce plugin to version 4.4.6 or later.

Added: Sep 1, 2025, 7:22 PM
Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
5.0
exploitability
6.4
remediation
7.7
relevance
0.0
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.