CVE-2025-12621: 
WordPress vulnerability analysis and mitigation

The Flexible Refund and Return Order for WooCommerce plugin for WordPress contains a vulnerability (CVE-2025-12621) related to unauthorized modification of refund requests. The vulnerability was discovered by researcher Powpy and was publicly disclosed on November 7, 2025. This security issue affects versions up to 1.0.42 of the plugin (Wordfence).

The vulnerability stems from improper authorization checks in the Ajax.php file within the plugin's core functionality. The issue allows authenticated users with contributor-level access to modify refund requests, bypassing intended permission restrictions. The vulnerability has been assigned a CVSS v3.1 score of 5.3 (Medium) (Wordfence).

If exploited, this vulnerability could allow authenticated users with lower-level permissions to modify refund requests, potentially leading to unauthorized changes in order refund statuses. This could result in financial impact and disruption of normal business operations for affected WooCommerce stores.

The vulnerability has been patched in version 1.0.43 of the plugin, released on November 6, 2025. Store owners are strongly advised to update to this version immediately. The fix implements proper authorization checks for refund request modifications (WordPress Plugin Repository).