Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Stored XSS requires low-privilege auth (PR:L) and admin view (UI:R); scope changes to admin browser (S:C), but availability impact is not applicable to standard XSS.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdesk Flexible Refund and Return Order for WooCommerce flexible-refund-and-return-order-for-woocommerce allows Stored XSS.This issue affects Flexible Refund and Return Order for WooCommerce: from n/a through <= 1.0.51.
AnalysisAI
Stored cross-site scripting in the wpdesk Flexible Refund and Return Order for WooCommerce plugin (versions through 1.0.51) allows authenticated low-privileged users - such as registered WooCommerce customers - to inject persistent malicious scripts that execute in the browsers of other users, including administrators who review refund submissions. The scope-changed CVSS vector (S:C) confirms impact crosses security boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions against shop owners. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the attacker to possess a valid WooCommerce customer account with sufficient privilege to submit a refund or return request (PR:L), which on most public WooCommerce stores is available to any user who can register or complete a purchase. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 6.5 score (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) places this in the medium range by score, but real-world risk on public WooCommerce storefronts is meaningfully higher than that score suggests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers as a WooCommerce customer on the target store and submits a refund request, injecting a JavaScript payload into a text field that lacks proper output encoding before database storage. When a shop administrator opens the WooCommerce admin dashboard to review pending refund requests, the stored script silently executes in their browser, exfiltrating the admin session cookie or WordPress nonce tokens to an attacker-controlled endpoint. … |
| Remediation | Upgrade the Flexible Refund and Return Order for WooCommerce plugin to a version above 1.0.51 - consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/flexible-refund-and-return-order-for-woocommerce/vulnerability/wordpress-flexible-refund-and-return-order-for-woocommerce-plugin-1-0-51-cross-site-scripting-xss-vulnerability and the WordPress Plugin Directory to confirm the exact patched release, as no specific fix version was included in the available data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43474