WordPress Plugin Vulnerabilities

Return Refund and Exchange For WooCommerce < 4.5.6 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Order Message Read

Description

The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the wps_rma_fetch_order_msgs() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read other user's order messages.

Affects Plugins

Plugin icon
woo-refund-and-exchange-lite
Fixed in 4.5.6

References

CVE
CVE-2025-12881
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9c159237-1a3a-4d42-9a2e-fbd6ca98f38e

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Powpy
Verified
No
WPVDB ID
deb12a40-1ad0-4cfa-9bec-343a10ff9290

Timeline

Publicly Published
2025-11-20 (about 6 months ago)
Added
2025-11-20 (about 6 months ago)
Last Updated
2025-11-21 (about 6 months ago)

Other

Published
Title
Published
2026-04-15
Title
FluentBoards – Project Management, Task Management, Goal Tracking, Kanban Board, and, Team Collaboration < 1.91.3 - Authenticated (Board Member+) Insecure Direct Object Reference
Published
2025-12-11
Title
Campay Woocommerce Payment Gateway < 1.2.3 - Unauthenticated Payment Bypass
Published
2021-03-17
Title
BuddyPress < 7.2.1 - Force a Friendship
Published
2024-04-17
Title
EAN for WooCommerce < 4.9.3 - Insecure Direct Object Reference to Sensitve Information Exposure via Shortcode
Published
2024-12-13
Title
Get Post Content Shortcode <= 0.4 - Insecure Direct Object Reference to Authenticated (Contributor+) Sensitive Information Disclosure via post_content Shortcode