CVE-2024-13692: Return Refund and Exchange For WooCommerce <= 4.4.5 - Authenticated (Subscriber+) Insecure Direct Object Reference
First published: Fri Feb 14 2025(Updated: )
The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.4.5 via several functions due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to overwrite linked refund image attachments, overwrite refund request message, overwrite order messages, and read order messages of other users.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| WooCommerce Returns and Warranty Requests | <=4.4.5 | |
| WooCommerce Return Refund and Exchange For WooCommerce | <4.4.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.wordfence.com/threat-intel/vulnerabilities/id/dafbf6e2-1160-4551-a987-5e94c9157ff2?source=cve
- https://plugins.trac.wordpress.org/browser/woo-refund-and-exchange-lite/trunk/common/class-woo-refund-and-exchange-lite-common.php#L127
- https://plugins.trac.wordpress.org/browser/woo-refund-and-exchange-lite/trunk/common/class-woo-refund-and-exchange-lite-common.php#L186
- https://plugins.trac.wordpress.org/browser/woo-refund-and-exchange-lite/trunk/common/class-woo-refund-and-exchange-lite-common.php#L374
- https://plugins.trac.wordpress.org/browser/woo-refund-and-exchange-lite/trunk/public/class-woo-refund-and-exchange-lite-public.php#L381
- https://plugins.trac.wordpress.org/changeset/3236486/
Frequently Asked Questions
What is the severity of CVE-2024-13692?
CVE-2024-13692 is classified as a medium-severity vulnerability due to its potential for unauthorized access.
How do I fix CVE-2024-13692?
To fix CVE-2024-13692, upgrade the Return Refund and Exchange For WooCommerce plugin to version 4.4.6 or later.
What software is affected by CVE-2024-13692?
CVE-2024-13692 affects all versions of the Return Refund and Exchange For WooCommerce plugin up to and including version 4.4.5.
What type of vulnerability is CVE-2024-13692?
CVE-2024-13692 is an Insecure Direct Object Reference vulnerability.
Can CVE-2024-13692 lead to data exposure?
Yes, CVE-2024-13692 can lead to unauthorized data access and exposure of sensitive information.
- agent/title
- agent/references
- agent/type
- agent/description
- agent/first-publish-date
- agent/severity
- agent/source
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/remedy
- agent/last-modified-date
- agent/weakness
- agent/tags
- agent/softwarecombine
- agent/event
- collector/nvd-api
- source/NVD
- vendor/woocommerce
- canonical/woocommerce returns and warranty requests
- vendor/wpswings
- canonical/woocommerce return refund and exchange for woocommerce