CVE-2025-12621 is an authorization vulnerability classified under CWE-863, found in the wpdesk Flexible Refund and Return Order for WooCommerce plugin for WordPress. The flaw exists due to a misconfigured capability check in the 'create_refund' function, which is responsible for handling refund request status updates. Specifically, the plugin fails to properly restrict this function to only authorized roles, allowing any authenticated user with Contributor-level permissions or higher to modify refund statuses, including approving or denying refund requests. This vulnerability affects all plugin versions up to and including 1.0.42. Since Contributor-level access is relatively low privilege in WordPress, this expands the attack surface significantly. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS 3.1 score of 5.3 reflects a medium severity, with no impact on confidentiality or availability but a clear integrity impact. No patches or fixes are currently linked, and no known exploits have been reported in the wild as of the publication date. The vulnerability could be leveraged by malicious insiders or compromised accounts to manipulate refund processes, potentially causing financial loss or reputational damage to e-commerce merchants using WooCommerce with this plugin.

The primary impact of this vulnerability is on the integrity of refund management within WooCommerce stores using the affected plugin. Unauthorized users with Contributor-level access can manipulate refund statuses, approving fraudulent refunds or denying legitimate ones. This can lead to financial losses for merchants, customer dissatisfaction, and potential reputational harm. Since the vulnerability does not affect confidentiality or availability, data leakage or service disruption is unlikely. However, the ability to alter refund outcomes undermines trust in the e-commerce platform and can facilitate fraud or abuse. Organizations with multiple contributors or less stringent role management are at higher risk, as attackers can exploit compromised or malicious contributor accounts. The vulnerability's network accessibility and lack of user interaction requirements increase the risk of exploitation. Overall, the threat is moderate but significant for businesses relying on accurate refund processing.

To mitigate this vulnerability, organizations should immediately review and tighten WordPress user role assignments, ensuring that only trusted users have Contributor-level or higher access. Implement the principle of least privilege by restricting contributor roles or temporarily disabling refund management capabilities for lower-privileged users. Monitor refund request logs for unusual activity or unauthorized status changes. Since no official patch is currently available, consider disabling or replacing the wpdesk Flexible Refund and Return Order plugin until a fixed version is released. Additionally, implement multi-factor authentication (MFA) for all WordPress accounts to reduce the risk of account compromise. Regularly audit plugin updates and subscribe to vendor security advisories to apply patches promptly once available. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious refund status modification attempts. Finally, educate staff about the risks of privilege misuse and enforce strong password policies.