CVE-2025-12634

Vulnerability

Overview

The Refund Request for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check in the update_refund_status function. This function is accessible to any authenticated user with Subscriber-level access or higher, without verifying that the user has the necessary permissions to change refund statuses [1].

Exploitation

An attacker who is authenticated as a Subscriber (or any higher role) can exploit this by sending a crafted request to the update_refund_status endpoint. No additional privileges or special conditions are required. The attacker can set the refund status to either "approved" or "rejected" arbitrarily.

Impact

Successful exploitation allows an attacker to approve fraudulent refund requests or reject legitimate ones, potentially causing financial loss to the store owner or disrupting customer service. The vulnerability affects all versions up to and including 1.0.

Mitigation

The plugin has been closed and removed from the WordPress plugin repository as of November 20, 2025, due to this security issue [1]. Users are advised to remove the plugin immediately and seek alternative refund management solutions. No patched version is available.