Insecure Direct Object Reference in WooCommerce Return Refund and Exchange Plugin by WordPress
CVE-2025-12881

5.4MEDIUM

Key Information:

Vendor

WordPress
Status
Return Refund And Exchange For WooCommerce
Vendor
CVE Published:
21 November 2025

What is CVE-2025-12881?

The Return Refund and Exchange For WooCommerce plugin allows authenticated users with at least Subscriber-level access to exploit an Insecure Direct Object Reference vulnerability. This occurs through the wps_rma_fetch_order_msgs() function, where missing validation on a user-controlled key enables attackers to access and read order messages belonging to other users, potentially leading to unauthorized information disclosure. All versions up to and including 4.5.5 are impacted.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Return Refund and Exchange For WooCommerce * <= 4.5.5

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Powpy
JSON
.