{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12634", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-03T15:01:40.163Z", "datePublished": "2025-11-25T07:28:27.011Z", "dateUpdated": "2026-04-08T17:32:26.856Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:26.856Z"}, "affected": [{"vendor": "sunarc", "product": "Refund Request for WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Refund Request for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_refund_status' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update refund statuses to approved or rejected."}], "title": "Refund Request for WooCommerce <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Refund Status Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f15b4596-8e00-4e66-8b51-f49ede1ff307?source=cve"}, {"url": "https://wordpress.org/plugins/refund-request-for-woocommerce/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Powpy"}], "timeline": [{"time": "2025-11-24T19:16:59.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-25T14:27:02.481258Z", "id": "CVE-2025-12634", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:27:23.773Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12634", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-25T14:27:02.481258Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-25T14:27:07.386Z"}}], "cna": {"title": "Refund Request for WooCommerce <= 1.0 - Missing Authorization to Authenticated (Subscriber+) Refund Status Update", "credits": [{"lang": "en", "type": "finder", "value": "Powpy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "sunarc", "product": "Refund Request for WooCommerce", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-24T19:16:59.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f15b4596-8e00-4e66-8b51-f49ede1ff307?source=cve"}, {"url": "https://wordpress.org/plugins/refund-request-for-woocommerce/"}], "descriptions": [{"lang": "en", "value": "The Refund Request for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_refund_status' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update refund statuses to approved or rejected."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:32:26.856Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12634", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:32:26.856Z", "dateReserved": "2025-11-03T15:01:40.163Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-25T07:28:27.011Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Refund Request for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_refund_status' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update refund statuses to approved or rejected."}], "id": "CVE-2025-12634", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-25T08:15:49.093", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/refund-request-for-woocommerce/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f15b4596-8e00-4e66-8b51-f49ede1ff307?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T01:18:42.498313+00:00", "value": {"mitigation_remediation": ["Update the Refund Request for WooCommerce plugin to the latest version that includes the authorization check fixation", "Reconfigure role-based permissions so that Subscriber-level users do not possess the capability to modify refund statuses", "Audit refund status logs for unauthorized changes and investigate any anomalies"], "summary": {"action": "Apply Patch", "impact": "Privilege escalation to modify refund status"}, "threat_synthesis": {"affected_systems": "The vulnerability afflicts the sunarc \"Refund Request for WooCommerce\" plugin for WordPress. All released versions up to and including version\u202f1.0 are affected. The issue resides in the plugin\u2019s logic that processes refund status updates.", "description_and_impact": "The Refund Request for WooCommerce plugin for WordPress contains a missing capability check on the update_refund_status function. As a result, authenticated users with Subscriber-level access and above can change any refund status to approved or rejected. This flaw amounts to a flaw in authorization control, as categorized by CWE\u2011862, and allows attackers to alter transaction records without proper admin privileges.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, and the EPSS score of less than 1% shows a very low likelihood of exploitation at the time of this analysis. The flaw is not listed in the CISA KEV catalog. A likely attack path requires the attacker to have legitimate login credentials of a Subscriber or higher role, after which the missing authorization check permits misuse of the refund status update endpoint. The risk is confined to administrators who allow Subscriber-level roles the ability to modify refunds, and the impact is the potential for fraudulent refund approvals or denials."}}}}, "created": "2025-12-01T15:19:21.671973+00:00", "updated": "2026-04-21T01:30:24.387404+00:00", "vendors": ["sunarc", "sunarc$PRODUCT$refund_request_for_woocommerce", "woocommerce", "woocommerce$PRODUCT$woocommerce", "wordpress", "wordpress$PRODUCT$wordpress"]}