← voltar
CVE-2025-12881

Return Refund and Exchange For WooCommerce <= 4.5.5 - Insecure Direct Object Reference to Authenticated (Subscriber+) Arbitrary Order Message Read

CVSS 5.4 MEDIUMEPSS 0.1%CWE-639
Vexday Risk Score
13Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 5.4EPSS 0.1%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
21 nov 2025Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
The Return Refund and Exchange For WooCommerce plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.5.5 via the wps_rma_fetch_order_msgs() due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read other user's order messages.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Produtos afetados
wpswings · Return Refund and Exchange For WooCommerce

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3394215%40woo-refund-and-exchange-lite&new=3394215%40woo-refund-and-exchange-lite&sfp_email=&sfph_mail=https://www.wordfence.com/threat-intel/vulnerabilities/id/9c159237-1a3a-4d42-9a2e-fbd6ca98f38e?source=cve