CVE-2025-12086 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the Return Refund and Exchange For WooCommerce plugin for WordPress. The vulnerability exists in all versions up to and including 4.5.5 and is triggered via the 'wps_rma_cancel_return_request' AJAX endpoint. This endpoint fails to properly validate the user-controlled key parameter, allowing an authenticated user with Subscriber-level privileges or higher to delete refund requests submitted by other users. This is a classic Insecure Direct Object Reference (IDOR) scenario where the application does not verify that the requesting user is authorized to perform actions on the targeted resource. The vulnerability impacts the integrity of refund request data, potentially disrupting customer service and refund processes. The CVSS v3.1 score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low attack complexity, and privileges but no user interaction. No known exploits have been reported in the wild as of the publication date. The vulnerability's scope is limited to WooCommerce stores using this specific plugin, but given WooCommerce's widespread adoption, the exposure is significant. The lack of patch links suggests that a fix may not yet be publicly available, increasing the urgency for mitigation through access control or plugin updates once released.

The primary impact of this vulnerability is on data integrity, as attackers can delete refund requests submitted by other users, potentially leading to financial discrepancies, customer dissatisfaction, and operational disruption in e-commerce workflows. While confidentiality and availability are not directly affected, the ability to manipulate refund requests undermines trust in the refund process and could be exploited for fraud or denial of service against customer support functions. Organizations relying on this plugin for managing returns and refunds may face increased customer complaints, reputational damage, and potential financial loss. Since exploitation requires only Subscriber-level access, which is a low privilege level in WordPress, the risk is elevated in environments where user registration is open or poorly controlled. The vulnerability could be leveraged by malicious insiders or compromised accounts to disrupt business operations. The absence of known exploits in the wild reduces immediate threat but does not eliminate the risk of future attacks once the vulnerability becomes widely known.

Organizations should immediately review user roles and permissions to ensure that Subscriber-level accounts are tightly controlled and monitored. Restricting user registrations or implementing CAPTCHA and email verification can reduce the risk of unauthorized account creation. Until an official patch is released, consider disabling or removing the Return Refund and Exchange For WooCommerce plugin if feasible, or restricting access to the vulnerable AJAX endpoint via web application firewall (WAF) rules that block unauthorized requests. Monitoring logs for suspicious activity related to refund request deletions can help detect exploitation attempts. Once a patch is available, prioritize its deployment across all affected systems. Additionally, implementing custom validation or access control checks on refund request operations can provide defense in depth. Educating staff about the risk and encouraging prompt reporting of anomalies in refund processing will also help mitigate impact.