WordPress Plugin Vulnerabilities

Return Refund and Exchange For WooCommerce < 4.4.6 - Subscriber+ IDOR

Description

The plugin is vulnerable to Insecure Direct Object Reference via several functions due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to overwrite linked refund image attachments, overwrite refund request message, overwrite order messages, and read order messages of other users.

Affects Plugins

Plugin icon
woo-refund-and-exchange-lite
Fixed in 4.4.6

References

CVE
CVE-2024-13692
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/dafbf6e2-1160-4551-a987-5e94c9157ff2

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Tim Coen
Verified
No
WPVDB ID
b69de497-ec28-40fd-81ca-518fb16c9d68

Timeline

Publicly Published
2025-02-13 (about 1 year ago)
Added
2025-02-14 (about 1 year ago)
Last Updated
2025-02-14 (about 1 year ago)

Other

Published
Title
Published
2025-11-10
Title
Wisly <= 1.0.0 - Insecure Direct Object Reference to Unauthenticated Wishlist Manipulation
Published
2025-11-11
Title
Wishlist and Save for later for Woocommerce < 1.1.23 - Insecure Direct Object Reference to Authenticated (Subscriber+) Wishlist Item Deletion
Published
2024-12-04
Title
AnyWhere Elementor < 1.2.12 - Authenticated (Contributor+) Post Disclosure
Published
2023-07-05
Title
BadgeOS <= 3.7.1.6 - Subscriber+ IDOR
Published
2024-12-11
Title
Greenshift – animation and page builder blocks < 9.9.9.4 - Authenticated (Contributor+) Post Disclosure