GCVE - cpe:2.3:a:wpdesk:flexible_refund_and_return_order_for

Approved changes feed: RSS · Atom

cpe:2.3:a:wpdesk:flexible_refund_and_return_order_for_woocommerce:*:*:*:*:*:*:*:*

part: a version: * update: *

Vendor	Wpdesk (`54fd216e-520f-595d-9e1c-4e7d99dadc3a`)
Product	Flexible Refund And Return Order For Woocommerce (`a860601d-733d-543d-aceb-2defa0db557b`)
Edition	*
Language	*
Software edition	*
Target software	*
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2025-12621`	vulnerable	2026-06-08 07:04:30.545758	Flexible Refund and Return Order for WooCommerce <= 1.0.42 - Incorrect Authorization to Authenticated (Contributor+) Refund Status Update MEDIUM (5.3) The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds. Published: 2025-11-08T07:26:28.151Z Updated: 2026-04-08T17:04:26.863Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/8498c671-b46e-420c-a482-7c6983596753?source=cve https://plugins.trac.wordpress.org/browser/flexible-refund-and-return-order-for-woocommerce/trunk/vendor_prefixed/wpdesk/flexible-refunds-core/src/Integration/Ajax.php#L55 https://plugins.trac.wordpress.org/changeset?old=3378649%40flexible-refund-and-return-order-for-woocommerce%2Ftags%2F1.0.42&new=3390898%40flexible-refund-and-return-order-for-woocommerce%2Ftags%2F1.0.43	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-10570`	vulnerable	2026-06-08 07:02:27.091396	Flexible Refund and Return Order for WooCommerce <= 1.0.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Refund MEDIUM (4.3) The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit refund requests for arbitrary orders that they do not own. Published: 2025-10-22T06:40:59.103Z Updated: 2026-04-08T17:18:58.830Z Open on db.gcve.eu Reference links https://www.wordfence.com/threat-intel/vulnerabilities/id/bd9b6575-f49b-4586-a716-69d39242423d?source=cve https://plugins.trac.wordpress.org/changeset/3375005/flexible-refund-and-return-order-for-woocommerce	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.

Flexible Refund And Return Order For Woocommerce

PURL mappings

Vulnerability references

Contribute