{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12621", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-02T17:25:24.607Z", "datePublished": "2025-11-08T07:26:28.151Z", "dateUpdated": "2026-04-08T17:04:26.863Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:26.863Z"}, "affected": [{"vendor": "wpdesk", "product": "Flexible Refund and Return Order for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.42", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds."}], "title": "Flexible Refund and Return Order for WooCommerce <= 1.0.42 - Incorrect Authorization to Authenticated (Contributor+) Refund Status Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8498c671-b46e-420c-a482-7c6983596753?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/flexible-refund-and-return-order-for-woocommerce/trunk/vendor_prefixed/wpdesk/flexible-refunds-core/src/Integration/Ajax.php#L55"}, {"url": "https://plugins.trac.wordpress.org/changeset?old=3378649%40flexible-refund-and-return-order-for-woocommerce%2Ftags%2F1.0.42&new=3390898%40flexible-refund-and-return-order-for-woocommerce%2Ftags%2F1.0.43"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-863 Incorrect Authorization", "cweId": "CWE-863", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Powpy"}], "timeline": [{"time": "2025-11-02T17:40:51.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-07T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-10T14:10:09.515297Z", "id": "CVE-2025-12621", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-10T14:14:29.598Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12621", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-10T14:10:09.515297Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-10T14:10:10.268Z"}}], "cna": {"title": "Flexible Refund and Return Order for WooCommerce <= 1.0.42 - Incorrect Authorization to Authenticated (Contributor+) Refund Status Update", "credits": [{"lang": "en", "type": "finder", "value": "Powpy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "wpdesk", "product": "Flexible Refund and Return Order for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0.42"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-02T17:40:51.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-07T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8498c671-b46e-420c-a482-7c6983596753?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/flexible-refund-and-return-order-for-woocommerce/trunk/vendor_prefixed/wpdesk/flexible-refunds-core/src/Integration/Ajax.php#L55"}, {"url": "https://plugins.trac.wordpress.org/changeset?old=3378649%40flexible-refund-and-return-order-for-woocommerce%2Ftags%2F1.0.42&new=3390898%40flexible-refund-and-return-order-for-woocommerce%2Ftags%2F1.0.43"}], "descriptions": [{"lang": "en", "value": "The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-863", "description": "CWE-863 Incorrect Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:04:26.863Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12621", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:04:26.863Z", "dateReserved": "2025-11-02T17:25:24.607Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-08T07:26:28.151Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds."}], "id": "CVE-2025-12621", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-08T08:15:45.023", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/flexible-refund-and-return-order-for-woocommerce/trunk/vendor_prefixed/wpdesk/flexible-refunds-core/src/Integration/Ajax.php#L55"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old=3378649%40flexible-refund-and-return-order-for-woocommerce%2Ftags%2F1.0.42&new=3390898%40flexible-refund-and-return-order-for-woocommerce%2Ftags%2F1.0.43"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8498c671-b46e-420c-a482-7c6983596753?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T18:34:56.348512+00:00", "value": {"mitigation_remediation": ["Update Flexible Refund and Return Order for WooCommerce to version 1.0.43 or later, which includes proper capability checks.", "If an update cannot be applied immediately, restrict Contributor roles from accessing refund actions, either removing the capability or using a role manager plugin to limit their permissions.", "Audit refund logs for unauthorized status changes and review all approved refunds for consistency with legitimate customer requests."], "summary": {"action": "Patch", "impact": "Unauthorized Refund Status Manipulation"}, "threat_synthesis": {"affected_systems": "All installations of wpdesk Flexible Refund and Return Order for WooCommerce version 1.0.42 and earlier are affected. These are WordPress plugins that extend WooCommerce on e\u2011commerce sites. Any WooCommerce store that has installed an affected version of the plugin must assess whether it is vulnerable.", "description_and_impact": "The Flexible Refund and Return Order for WooCommerce plugin contains a misconfigured capability check in its create_refund function. Consequently, any user with Contributor level access or higher can alter the status of refund requests, allowing an attacker to approve or reject refunds without permission. This flaw is a classic example of a missing authorization vulnerability (CWE-863) and compromises data integrity by enabling the manipulation of financial records.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity, while an EPSS score of less than 1% suggests a low likelihood of exploitation at this time. The vulnerability is not listed in CISA\u2019s KEV catalog, which further reduces perceived risk. Attackers would need authenticated access with at least Contributor privileges to exploit this flaw, making the primary attack vector authenticated. Once authenticated, they could invoke the Ajax endpoint that bypasses the capability check to change refund statuses."}}}}, "created": "2025-11-10T09:33:21.372887+00:00", "updated": "2026-04-21T18:45:06.075817+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpdesk", "wpdesk$PRODUCT$flexible_refund_and_return_order_for_woocommerce"]}