{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12881", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-07T16:19:02.823Z", "datePublished": "2025-11-21T07:31:53.213Z", "dateUpdated": "2026-04-08T17:11:23.231Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:11:23.231Z"}, "affected": [{"vendor": "wpswings", "product": "Return Refund and Exchange For WooCommerce", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.5.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the wps_rma_fetch_order_msgs() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read other user's order messages."}], "title": "Return Refund and Exchange For WooCommerce <= 4.5.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Order Message Read", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9c159237-1a3a-4d42-9a2e-fbd6ca98f38e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394215%40woo-refund-and-exchange-lite&new=3394215%40woo-refund-and-exchange-lite&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Powpy"}], "timeline": [{"time": "2025-11-07T16:34:12.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-20T18:56:54.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-21T16:16:29.563528Z", "id": "CVE-2025-12881", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-24T18:03:55.985Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12881", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-21T16:16:29.563528Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-21T16:16:32.683Z"}}], "cna": {"title": "Return Refund and Exchange For WooCommerce <= 4.5.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Order Message Read", "credits": [{"lang": "en", "type": "finder", "value": "Powpy"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "wpswings", "product": "Return Refund and Exchange For WooCommerce", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.5.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-07T16:34:12.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-20T18:56:54.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9c159237-1a3a-4d42-9a2e-fbd6ca98f38e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394215%40woo-refund-and-exchange-lite&new=3394215%40woo-refund-and-exchange-lite&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the wps_rma_fetch_order_msgs() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read other user's order messages."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-21T07:31:53.213Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12881", "state": "PUBLISHED", "dateUpdated": "2025-11-24T18:03:55.985Z", "dateReserved": "2025-11-07T16:19:02.823Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-21T07:31:53.213Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the wps_rma_fetch_order_msgs() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read other user's order messages."}], "id": "CVE-2025-12881", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-21T08:15:54.177", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394215%40woo-refund-and-exchange-lite&new=3394215%40woo-refund-and-exchange-lite&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9c159237-1a3a-4d42-9a2e-fbd6ca98f38e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:30:50.676936+00:00", "value": {"mitigation_remediation": ["Upgrade the Return Refund and Exchange For WooCommerce plugin to the latest version available from the vendor, which includes a fix for the insecure direct object reference.", "If an immediate update is not possible, restrict the Subscriber role from accessing the order message interface or enforce stricter role-based access controls within the plugin configuration.", "Apply a web application firewall rule or use the WordPress REST API security plugin to block unauthenticated or unauthorized requests targeting the wps_rma_fetch_order_msgs() endpoint."], "summary": {"action": "Apply Patch", "impact": "Sensitive Order Data Disclosure"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts the WordPress plugin \"Return Refund and Exchange For WooCommerce\" developed by wpswings, affecting all released versions up to and including 4.5.5. The affected code path allows any authenticated Subscriber or higher role to exploit the insecure direct object reference.", "description_and_impact": "The Return Refund and Exchange For WooCommerce plugin contains an insecure direct object reference that allows authenticated users with Subscriber-level access or higher to read order messages belonging to other users. The flaw arises due to missing validation on a key passed to the wps_rma_fetch_order_msgs() function, enabling a confidentiality breach by exposing sensitive messages tied to customer orders. This can lead to an attacker learning personal or financial details associated with the orders without needing to compromise the system at a higher privilege level.", "risk_and_exploitability": "The CVSS score of 5.4 indicates moderate severity. The EPSS score of < 1% suggests a low likelihood of exploitation in the near term. The vulnerability is not listed in CISA KEV, implying it has not been widely observed in the wild. Attackers would need to be authenticated on the target site, and the exploit path is local/internal, yet the potential for data leakage remains significant for businesses handling customer order information."}}}}, "created": "2025-11-24T09:10:01.959307+00:00", "updated": "2026-04-22T00:45:04.144601+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress", "wpswings", "wpswings$PRODUCT$return_refund_and_exchange_for_woocommerce"]}