Medium severity4.3NVD Advisory· Published Oct 22, 2025· Updated Apr 15, 2026
CVE-2025-10570
CVE-2025-10570
Description
The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit refund requests for arbitrary orders that they do not own.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2<=1.0.38+ 1 more
- (no CPE)range: <=1.0.38
- (no CPE)range: <=1.0.38
Patches
Vulnerability mechanics
References
2News mentions
0No linked articles in our index yet.