1. Home
  2. CVE Database
  3. CVE-2025-10570
MEDIUM · 4.3

CVE-2025-10570

The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. Th...

Vulnerability Description

The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. This makes it possible for authenticated attackers, with subscriber-level access and above, to submit refund requests for arbitrary orders that they do not own.

CVSS Score

4.3

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
NONE
Integrity
LOW
Availability
NONE

Related Weaknesses (CWE)

CWE-639

References

FAQ

What is CVE-2025-10570?

CVE-2025-10570 is a vulnerability with a CVSS score of 4.3 (MEDIUM). The Flexible Refund and Return Order for WooCommerce plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.38 via the save_refund_request() function. Th...

How severe is CVE-2025-10570?

CVE-2025-10570 has been rated MEDIUM with a CVSS base score of 4.3/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-10570?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.