cleantalk
Vulnerabilities and Security Researches

Flexible Refund and Return Order for WooCommerce, CVE-2025-10570

CVE, Research URL

CVE-2025-10570

Home page URL

Security reports for Flexible Refund and Return Order for WooCommerce

Application

Flexible Refund and Return Order for WooCommerce

Published on
Oct 22, 2025
Research Description
The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit refund requests for arbitrary orders that they do not own.
Affected versions
max 1.0.39.
Status
vulnerable
Previous vulnerability researches
Video Lessons Manager – WordPress LMS Plugin (CVE-2021-24713) , Jun 06, 2024
Video Lessons Manager – WordPress LMS Plugin (CVE-2024-11202) , Nov 27, 2024
Video Lessons Manager – WordPress LMS Plugin (CVE-2025-24758) , Feb 16, 2025
New vulnerability
Product Addons & Fields for WooCommerce (CVE-2025-11391) , Nov 10, 2025
Product Addons & Fields for WooCommerce (CVE-2025-11691) , Nov 10, 2025
wpNamedUsers (CVE-2025-48083) , Nov 10, 2025
Colibri Page Builder (CVE-2025-9560) , Nov 10, 2025
WP Snow Effect (CVE-2025-64294) , Nov 10, 2025