CVE-2025-10570
📋 TL;DR
The Flexible Refund and Return Order for WooCommerce WordPress plugin has an authorization flaw that allows authenticated users (even with basic subscriber access) to submit refund requests for orders they don't own. This affects all WordPress sites using this plugin up to version 1.0.38. Attackers could abuse this to request fraudulent refunds.
💻 Affected Systems
- Flexible Refund and Return Order for WooCommerce WordPress plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers systematically request refunds for all orders, causing significant financial loss and administrative chaos as legitimate customers receive unauthorized refunds.
Likely Case
Opportunistic attackers submit refund requests for high-value orders they discover, resulting in financial loss and customer service issues.
If Mitigated
Limited impact if proper order validation and refund approval workflows are in place, though unauthorized requests still create administrative overhead.
🎯 Exploit Status
Exploitation requires authenticated access (subscriber role or higher). The vulnerability is in the save_refund_request() function which lacks proper authorization checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 1.0.39 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3375005/flexible-refund-and-return-order-for-woocommerce
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find 'Flexible Refund and Return Order for WooCommerce'. 4. Click 'Update Now' if available. 5. Alternatively, download version 1.0.39+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable plugin temporarily
allDeactivate the vulnerable plugin until patched
wp plugin deactivate flexible-refund-and-return-order-for-woocommerce
Restrict user registration
WordPressTemporarily disable new user registration to limit attack surface
Settings → General → Membership: Uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement additional refund request validation in WooCommerce settings
- Monitor refund requests closely and implement manual approval for all refunds
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 1.0.38 or lower, you are vulnerable.Check Version:
wp plugin get flexible-refund-and-return-order-for-woocommerce --field=versionVerify Fix Applied:
After updating, verify plugin version shows 1.0.39 or higher in WordPress admin.📡 Detection & Monitoring
Log Indicators:
- Multiple refund requests from same user ID for different order IDs
- Refund requests from users with subscriber role
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=save_refund_request from non-admin users
SIEM Query:
source="wordpress" action="save_refund_request" user_role="subscriber"