CVE-2024-13692

Name of the Vulnerable Software and Affected Versions The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress versions up to, and including, 4.4.5

Description The issue allows unauthenticated attackers to exploit an Insecure Direct Object Reference vulnerability due to missing validation on a user-controlled key. This enables attackers to overwrite linked refund image attachments, overwrite refund request messages, overwrite order messages, and read order messages of other users.

Recommendations For versions up to, and including, 4.4.5, update to a version later than 4.4.5 to resolve the issue. As a temporary workaround, consider restricting access to the functions that handle refund image attachments, refund request messages, and order messages until a patch is available.