Skip to main content

Flexible Refund Plugin CVE-2026-57402

| EUVDEUVD-2026-43474 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-13 Patchstack
6.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
vuln.today AI
5.4 MEDIUM

Stored XSS requires low-privilege auth (PR:L) and admin view (UI:R); scope changes to admin browser (S:C), but availability impact is not applicable to standard XSS.

3.1 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

2
Analysis Generated
Jul 13, 2026 - 11:26 vuln.today
CVE Published
Jul 13, 2026 - 08:41 cve.org
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdesk Flexible Refund and Return Order for WooCommerce flexible-refund-and-return-order-for-woocommerce allows Stored XSS.This issue affects Flexible Refund and Return Order for WooCommerce: from n/a through <= 1.0.51.

AnalysisAI

Stored cross-site scripting in the wpdesk Flexible Refund and Return Order for WooCommerce plugin (versions through 1.0.51) allows authenticated low-privileged users - such as registered WooCommerce customers - to inject persistent malicious scripts that execute in the browsers of other users, including administrators who review refund submissions. The scope-changed CVSS vector (S:C) confirms impact crosses security boundaries, enabling session hijacking, credential theft, or unauthorized administrative actions against shop owners. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register WooCommerce customer account
Delivery
Submit refund request with stored XSS payload
Exploit
Payload persisted in database
Execution
Admin opens refund review dashboard
Persist
Malicious script executes in admin browser
Impact
Exfiltrate session token or perform unauthorized admin actions

Vulnerability AssessmentAI

Exploitation Exploitation requires the attacker to possess a valid WooCommerce customer account with sufficient privilege to submit a refund or return request (PR:L), which on most public WooCommerce stores is available to any user who can register or complete a purchase. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 6.5 score (AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L) places this in the medium range by score, but real-world risk on public WooCommerce storefronts is meaningfully higher than that score suggests. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers as a WooCommerce customer on the target store and submits a refund request, injecting a JavaScript payload into a text field that lacks proper output encoding before database storage. When a shop administrator opens the WooCommerce admin dashboard to review pending refund requests, the stored script silently executes in their browser, exfiltrating the admin session cookie or WordPress nonce tokens to an attacker-controlled endpoint. …
Remediation Upgrade the Flexible Refund and Return Order for WooCommerce plugin to a version above 1.0.51 - consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/flexible-refund-and-return-order-for-woocommerce/vulnerability/wordpress-flexible-refund-and-return-order-for-woocommerce-plugin-1-0-51-cross-site-scripting-xss-vulnerability and the WordPress Plugin Directory to confirm the exact patched release, as no specific fix version was included in the available data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57402 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy