Primary

Context

Flexible Refund and Return Order for WooCommerce Incorrect Authorization Vulnerability

Vulnerability

A vulnerability exists in the Flexible Refund and Return Order for WooCommerce plugin for WordPress, in all versions through 1.0.42. The issue arises from a misconfigured capability check in the 'create_refund' function, allowing authenticated attackers with Contributor-level access and above to unauthorizedly modify refund request statuses, including approval and denial.

Impact

Exploitation of this vulnerability allows for unauthorized users to change the status of refund requests, potentially leading to financial loss or abuse of the refund process.

Remediation

Users can update to version 1.0.43 or a newer patched version to address this vulnerability.

Added: Nov 8, 2025, 8:18 AM

Updated: Nov 8, 2025, 8:18 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

7.7

relevance

1.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.9

remediation

7.7

relevance

1.0

threat

3.2

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Flexible Refund and Return Order for WooCommerce Incorrect Authorization Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating