CVE-2024-13692: CWE-285 Improper Authorization in wpswings Return Refund and Exchange For WooCommerce
The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.4.5 via several functions due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to overwrite linked refund image attachments, overwrite refund request message, overwrite order messages, and read order messages of other users.
AI Analysis
Technical Summary
The Return Refund and Exchange For WooCommerce plugin suffers from an improper authorization vulnerability (CWE-285) caused by missing validation on a user-controlled key. This insecure direct object reference flaw allows unauthenticated attackers to overwrite linked refund image attachments, refund request messages, and order messages, as well as read order messages belonging to other users. The vulnerability affects all versions up to 4.4.5 and has a CVSS 3.1 base score of 5.4, indicating medium severity. There is no indication of known exploits in the wild or available patches.
Potential Impact
An attacker without authentication can manipulate refund and order-related data of other users by exploiting missing authorization checks. This can lead to unauthorized disclosure of order messages and unauthorized modification of refund images and messages. The impact is limited to confidentiality and integrity of order and refund data, with no reported availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor the vendor's communications for updates. Until a fix is available, restrict access to the plugin's functionality to trusted users and consider disabling or limiting the affected features if possible.
CVE-2024-13692: CWE-285 Improper Authorization in wpswings Return Refund and Exchange For WooCommerce
Description
The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.4.5 via several functions due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to overwrite linked refund image attachments, overwrite refund request message, overwrite order messages, and read order messages of other users.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Return Refund and Exchange For WooCommerce plugin suffers from an improper authorization vulnerability (CWE-285) caused by missing validation on a user-controlled key. This insecure direct object reference flaw allows unauthenticated attackers to overwrite linked refund image attachments, refund request messages, and order messages, as well as read order messages belonging to other users. The vulnerability affects all versions up to 4.4.5 and has a CVSS 3.1 base score of 5.4, indicating medium severity. There is no indication of known exploits in the wild or available patches.
Potential Impact
An attacker without authentication can manipulate refund and order-related data of other users by exploiting missing authorization checks. This can lead to unauthorized disclosure of order messages and unauthorized modification of refund images and messages. The impact is limited to confidentiality and integrity of order and refund data, with no reported availability impact.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no patch or official fix information is provided, users should monitor the vendor's communications for updates. Until a fix is available, restrict access to the plugin's functionality to trusted users and consider disabling or limiting the affected features if possible.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-01-23T20:27:10.879Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e68b7ef31ef0b5a018a
Added to database: 2/25/2026, 9:49:28 PM
Last enriched: 4/9/2026, 6:46:15 AM
Last updated: 4/12/2026, 6:54:58 PM
Views: 16
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.