{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10570", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-16T16:19:08.622Z", "datePublished": "2025-10-22T06:40:59.103Z", "dateUpdated": "2026-04-08T17:18:58.830Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:18:58.830Z"}, "affected": [{"vendor": "wpdesk", "product": "Flexible Refund and Return Order for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.38", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit refund requests for arbitrary orders that they do not own."}], "title": "Flexible Refund and Return Order for WooCommerce <= 1.0.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Refund", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd9b6575-f49b-4586-a716-69d39242423d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3375005/flexible-refund-and-return-order-for-woocommerce"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Powpy"}], "timeline": [{"time": "2025-09-30T15:25:42.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-21T17:57:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-22T15:46:36.960489Z", "id": "CVE-2025-10570", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-22T15:46:51.276Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10570", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-22T15:46:36.960489Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-22T15:46:46.349Z"}}], "cna": {"title": "Flexible Refund and Return Order for WooCommerce <= 1.0.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Refund", "credits": [{"lang": "en", "type": "finder", "value": "Powpy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpdesk", "product": "Flexible Refund and Return Order for WooCommerce", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.0.38"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-30T15:25:42.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-21T17:57:53.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd9b6575-f49b-4586-a716-69d39242423d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3375005/flexible-refund-and-return-order-for-woocommerce"}], "descriptions": [{"lang": "en", "value": "The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit refund requests for arbitrary orders that they do not own."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-10-22T06:40:59.103Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10570", "state": "PUBLISHED", "dateUpdated": "2025-10-22T15:46:51.276Z", "dateReserved": "2025-09-16T16:19:08.622Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-22T06:40:59.103Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit refund requests for arbitrary orders that they do not own."}], "id": "CVE-2025-10570", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-22T07:15:31.780", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3375005/flexible-refund-and-return-order-for-woocommerce"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bd9b6575-f49b-4586-a716-69d39242423d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:10:46.222274+00:00", "value": {"mitigation_remediation": ["Update Flexible Refund and Return Order for WooCommerce to the latest version that contains the authorization fix", "If an update is not immediately available, restrict the ability to submit refunds to administrator users only by configuring role permissions in WooCommerce", "Disable or remove the plugin entirely if the functionality is not required for the business"], "summary": {"action": "Apply Patch", "impact": "Unauthorized order refund for accounts with subscriber-level or higher access"}, "threat_synthesis": {"affected_systems": "The issue affects the Flexible Refund and Return Order for WooCommerce plugin from wpdesk, in all versions up to and including version 1.0.38. Users running these versions on WordPress installations are susceptible until they apply a patch or upgrade to a fixed version.", "description_and_impact": "The vulnerable plugin function allows a logged\u2011in user with subscriber or higher privileges to submit a refund request for any order, regardless of ownership, exposing the store to potential financial loss through unauthorized refunds. The flaw is a missing authorization check, which enables an attacker who can authenticate to exploit the vulnerability and trigger arbitrary refunds. The reported weakness is identified as CWE\u2011639 and has a CVSS score of 4.3, indicating a moderate severity.", "risk_and_exploitability": "With the EPSS score below 1% and no listing in the CISA KEV catalog, the likelihood of exploitation in the wild appears low, and the attack vector requires the attacker to possess a valid authenticated user account with subscriber-level access or higher. The exploitation would enable the attacker to create refund entries for arbitrary orders, potentially resulting in financial loss for the merchant. The CVSS score of 4.3 reflects the impact of the flaw on confidentiality and integrity, while the limited exploitation probability suggests that immediate, active monitoring might suffice until a patch becomes available."}}}}, "created": "2025-10-23T10:07:48.365328+00:00", "updated": "2026-04-21T02:15:06.530082+00:00", "vendors": ["woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress", "wpdesk", "wpdesk$PRODUCT$flexible_refund_and_return_order_for_woocommerce"]}