Medium severity5.3NVD Advisory· Published Nov 8, 2025· Updated Apr 15, 2026

CVE-2025-12621

Description

The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a misconfigured capability check on the 'create_refund' function in all versions up to, and including, 1.0.42. This makes it possible for authenticated attackers, with Contributor-level access and above, to update the status of refund requests, including approving and refusing refunds.

Affected products

WordPress/Flexible Refund And Return Order For Woocommerceinferred
Range: <=1.0.42
Package: https://wordpress.org/plugins/flexible-refund-and-return-order-for-woocommerce

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/flexible-refund-and-return-order-for-woocommerce/trunk/vendor_prefixed/wpdesk/flexible-refunds-core/src/Integration/Ajax.phpnvd
plugins.trac.wordpress.org/changesetnvd
www.wordfence.com/threat-intel/vulnerabilities/id/8498c671-b46e-420c-a482-7c6983596753nvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000