Vulnerabilities and security researches forflexible-refund-and-return-order-for-woocommerce flexible-refund-and-return-order-for-woocommerce

Nov 10, 2025

CVE, Research URL: CVE-2025-10570
Home page URL: Security reports for Flexible Refund and Return Order for WooCommerce
Application: Flexible Refund and Return Order for WooCommerce
Date: Oct 22, 2025
Research Description: The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit refund requests for arbitrary orders that they do not own.
Affected versions: max 1.0.39.
Status: vulnerable