{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12086", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-22T18:05:44.982Z", "datePublished": "2025-11-21T07:31:47.110Z", "dateUpdated": "2026-04-08T16:36:25.470Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:25.470Z"}, "affected": [{"vendor": "wpswings", "product": "Return Refund and Exchange For WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.5.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the 'wps_rma_cancel_return_request' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other users refund requests."}], "title": "Return Refund and Exchange For WooCommerce <= 4.5.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Refund Request Cancellation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/126e2b92-322e-440c-a924-1b604330f164?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394215%40woo-refund-and-exchange-lite&new=3394215%40woo-refund-and-exchange-lite&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Powpy"}], "timeline": [{"time": "2025-10-22T18:20:54.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-20T18:57:45.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-21T14:48:06.465756Z", "id": "CVE-2025-12086", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T14:57:29.611Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12086", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-21T14:48:06.465756Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T14:53:53.770Z"}}], "cna": {"title": "Return Refund and Exchange For WooCommerce <= 4.5.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Refund Request Cancellation", "credits": [{"lang": "en", "type": "finder", "value": "Powpy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpswings", "product": "Return Refund and Exchange For WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.5.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-22T18:20:54.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-20T18:57:45.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/126e2b92-322e-440c-a924-1b604330f164?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394215%40woo-refund-and-exchange-lite&new=3394215%40woo-refund-and-exchange-lite&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the 'wps_rma_cancel_return_request' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other users refund requests."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:36:25.470Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12086", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:36:25.470Z", "dateReserved": "2025-10-22T18:05:44.982Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-21T07:31:47.110Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the 'wps_rma_cancel_return_request' AJAX endpoint due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete other users refund requests."}], "id": "CVE-2025-12086", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-21T08:15:52.483", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394215%40woo-refund-and-exchange-lite&new=3394215%40woo-refund-and-exchange-lite&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/126e2b92-322e-440c-a924-1b604330f164?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T21:06:59.142054+00:00", "value": {"mitigation_remediation": ["Update the Return Refund and Exchange For WooCommerce plugin to version 4.5.6 or later, which removes the insecure endpoint.", "Restrict access to the wps_rma_cancel_return_request AJAX endpoint so that only users with appropriate privileges can invoke it, or disable it entirely if not needed.", "Implement server\u2011side validation of refund identifiers so that a user can only cancel requests that belong to them, thereby mitigating the CWE\u2011639 vulnerability."], "summary": {"action": "Apply Patch", "impact": "Insecure Direct Object Reference allowing authenticated users to delete other users' refund requests"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the Return Refund and Exchange For WooCommerce plugin by wpswings. Versions up to and including 4.5.5 are susceptible. Any WordPress site that has installed these versions of the plugin is at risk.", "description_and_impact": "The Return Refund and Exchange For WooCommerce plugin contains an insecure direct object reference in the wps_rma_cancel_return_request AJAX endpoint. Because the plugin does not validate the user\u2011controlled key, any authenticated user with Subscriber or higher privileges can send a request that will delete another user\u2019s refund record. This leads to unauthorized cancellation of refund requests, potentially causing financial loss or customer dissatisfaction. The weakness is classified as CWE\u2011639.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity. The EPSS score of less than 1% suggests the likelihood of exploitation is very low at present, and the issue is not listed in the CISA KEV catalog. Exploitation requires authentication with at least a Subscriber role and involves sending a crafted AJAX request to the wps_rma_cancel_return_request endpoint. The absence of validation on the request key directly enables the attacker to target other users\u2019 refund records."}}}}, "created": "2025-11-24T09:09:19.779772+00:00", "updated": "2026-04-22T21:15:27.678260+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpswings", "wpswings$PRODUCT$return_refund_and_exchange_for_woocommerce"]}