Primary

Context

Flexible Refund and Return Order for WooCommerce Missing Authorization Vulnerability

Vulnerability

A vulnerability exists in the Flexible Refund and Return Order for WooCommerce plugin for WordPress, in all versions through 1.0.38. The issue arises from the save_refund_request() function, which lacks proper authorization checks. This flaw allows authenticated attackers with subscriber-level access or higher to submit refund requests for orders they do not own.

Impact

Exploitation of this vulnerability allows for unauthorized refund requests to be processed, potentially leading to financial loss or abuse of the refund system.

Remediation

Users are advised to update the plugin to version 1.0.39 or later.

Added: Oct 22, 2025, 7:24 AM

Updated: Oct 22, 2025, 7:24 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

7.7

relevance

0.8

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

7.7

relevance

0.8

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Flexible Refund and Return Order for WooCommerce Missing Authorization Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating