Primary

Context

WooCommerce Refund Request Plugin Missing Authorization Vulnerability on WordPress

Vulnerability

A vulnerability exists in the Refund Request for WooCommerce plugin for WordPress, all versions through 1.0, due to a lack of proper capability checks in the 'update_refund_status' function. This flaw allows authenticated attackers with Subscriber-level access or higher to unauthorizedly modify refund statuses, changing them to approved or rejected.

Impact

Exploitation of this vulnerability allows for unauthorized users to change refund statuses, potentially leading to financial discrepancies or abuse of the refund process.

Remediation

No known patch is available. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.

Added: Nov 25, 2025, 8:47 AM

Updated: Nov 25, 2025, 8:47 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

1.1

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.2

remediation

0.0

relevance

1.1

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

WooCommerce Refund Request Plugin Missing Authorization Vulnerability on WordPress

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating