CVE-2025-10570 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the Flexible Refund and Return Order for WooCommerce plugin for WordPress. The vulnerability resides in the save_refund_request() function, which fails to properly verify that the authenticated user submitting a refund request actually owns the order in question. This missing authorization check allows any authenticated user with subscriber-level access or higher to submit refund requests for arbitrary orders, potentially leading to fraudulent refund processing. The vulnerability affects all versions up to and including 1.0.38. Exploitation requires the attacker to be authenticated but does not require any user interaction beyond that. The flaw impacts the integrity of the refund process by allowing unauthorized refund requests but does not expose confidential data or disrupt availability. The CVSS v3.1 base score is 4.3, indicating medium severity, with attack vector network, low attack complexity, privileges required at low level, no user interaction, and unchanged scope. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly by affected users.

The primary impact of this vulnerability is on the integrity of e-commerce transactions managed through WooCommerce stores using the affected plugin. Unauthorized refund requests can lead to financial losses due to fraudulent refunds being processed without proper ownership verification. This undermines trust in the refund system and can cause operational disruptions as store administrators must manually verify and potentially reverse unauthorized refunds. While confidentiality and availability are not directly affected, the financial and reputational damage to organizations can be significant, especially for high-volume online retailers. Attackers with subscriber-level access, which is a common baseline user role in WordPress, can exploit this vulnerability, increasing the risk of insider threats or compromised low-privilege accounts being leveraged. Organizations worldwide using WooCommerce with this plugin are at risk, particularly those with large customer bases and frequent refund transactions.

To mitigate this vulnerability, organizations should immediately update the Flexible Refund and Return Order for WooCommerce plugin to a patched version once available. In the absence of an official patch, administrators should implement manual authorization checks by customizing the save_refund_request() function or applying access control filters to ensure refund requests are only accepted from users who own the respective orders. Restrict subscriber-level users from accessing refund request functionalities until a fix is applied. Enable detailed logging and monitoring of refund request activities to detect anomalous or unauthorized submissions. Additionally, enforce strong authentication and account security policies to reduce the risk of compromised low-privilege accounts being used for exploitation. Regularly audit user roles and permissions within WordPress to minimize unnecessary privileges. Finally, consider deploying a web application firewall (WAF) with custom rules to block suspicious refund request patterns targeting this plugin endpoint.