WP-Safety

Flexible Refund and Return Order for WooCommerce Security & Risk Analysis

wordpress.org/plugins/flexible-refund-and-return-order-for-woocommerce

WooCommerce refund and returns process made simple. Let your customers request a refund and return products directly from the My Account page.

1K active installs v1.0.49 PHP 7.4+ WP 6.4+ Updated Mar 7, 2026
woocommerce-cancel-orderwoocommerce-order-managementwoocommerce-refundwoocommerce-refundswoocommerce-returns
98
A · Safe
CVEs total2
Unpatched0
Last CVENov 7, 2025
Plugin page Download
Safety Verdict

Is Flexible Refund and Return Order for WooCommerce Safe to Use in 2026?

Generally Safe

Score 98/100

Flexible Refund and Return Order for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Nov 7, 2025Updated 27d ago
Risk Assessment

This plugin presents a mixed security posture with several areas of concern. While it has a moderate number of entry points and a limited number of known CVEs that appear to be patched, the static analysis reveals worrying trends. The presence of unprotected AJAX handlers and the use of dangerous functions like `proc_open`, `shell_exec`, and `passthru` are significant red flags. Furthermore, the complete lack of prepared statements for SQL queries is a critical weakness that could lead to SQL injection vulnerabilities.

The vulnerability history, while showing no currently unpatched CVEs, indicates a pattern of "Incorrect Authorization" and "Authorization Bypass Through User-Controlled Key" in past vulnerabilities. This suggests that the plugin may have fundamental flaws in how it handles user permissions and input validation. The taint analysis, while not flagging critical or high severity issues, did identify unsanitized paths, which can be a precursor to more serious vulnerabilities if exploited in conjunction with other weaknesses. The low percentage of properly escaped output also increases the risk of cross-site scripting (XSS) attacks.

In conclusion, despite the absence of critical known vulnerabilities, the plugin's codebase exhibits several concerning security practices. The high number of file operations and external HTTP requests, combined with the lack of robust input sanitization and authorization checks, create a substantial attack surface. Users should exercise caution and consider implementing additional security measures.

Key Concerns

  • AJAX handlers without authentication
  • Dangerous functions found (proc_open, shell_exec, passthru)
  • SQL queries without prepared statements
  • Low percentage of properly escaped output
  • Unsanitized paths found in taint analysis
  • Past vulnerabilities: Authorization Bypass
  • Past vulnerabilities: Incorrect Authorization
Vulnerabilities
2

Flexible Refund and Return Order for WooCommerce Security Vulnerabilities

CVEs by Year

2 CVEs in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
2

2 total CVEs

CVE-2025-12621medium · 5.3Incorrect Authorization

Flexible Refund and Return Order for WooCommerce <= 1.0.42 - Incorrect Authorization to Authenticated (Contributor+) Refund Status Update

Nov 7, 2025 Patched in 1.0.43 (1d)
CVE-2025-10570medium · 4.3Authorization Bypass Through User-Controlled Key

Flexible Refund and Return Order for WooCommerce <= 1.0.38 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Order Refund

Oct 21, 2025 Patched in 1.0.39 (1d)
Code Analysis
Analyzed Mar 16, 2026

Flexible Refund and Return Order for WooCommerce Code Analysis

Dangerous Functions
6
Raw SQL Queries
2
0 prepared
Unescaped Output
331
125 escaped
Nonce Checks
10
Capability Checks
7
File Operations
43
External Requests
3
Bundled Libraries
0

Dangerous Functions Found

proc_open$this->process = proc_open($this->command, static::DESCRIPTOR_SPEC, $this->pipes, $this->cwd);vendor_prefixed\monolog\monolog\src\Monolog\Handler\ProcessHandler.php:104
shell_exec$branches = shell_exec('git branch -v --no-abbrev');vendor_prefixed\monolog\monolog\src\Monolog\Processor\GitProcessor.php:60
shell_exec$result = explode(' ', trim((string) shell_exec('hg id -nb')));vendor_prefixed\monolog\monolog\src\Monolog\Processor\MercurialProcessor.php:59
passthrupassthru($command);vendor_prefixed\wpdesk\wp-codeception\src\WPDesk\Composer\Commands\BaseCommand.php:20
unserializereturn unserialize($value);vendor_prefixed\wpdesk\wp-forms\src\Serializer\SerializeSerializer.php:15
unserializereturn unserialize($this->container->get($id));vendor_prefixed\wpdesk\wp-persistence\src\Decorator\SerializedPersistentContainer.php:24

SQL Query Safety

0% prepared2 total queries

Output Escaping

27% escaped456 total outputs
Data Flows
2 unsanitized

Data Flow Analysis

4 flows2 with unsanitized paths
handle_ajax_request (vendor_prefixed\wpdesk\wp-wpdesk-deactivation-modal\src\Service\RequestSenderService.php:61)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

Flexible Refund and Return Order for WooCommerce Attack Surface

Entry Points4
Unprotected1

AJAX Handlers 3

authwp_ajax_fr_refund_requestvendor_prefixed\wpdesk\flexible-refunds-core\src\Integration\Ajax.php:31
authwp_ajax_fr_fb_insert_fieldvendor_prefixed\wpdesk\flexible-refunds-core\src\Integration\Ajax.php:32
authwp_ajax_wpdesk_notice_dismissvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\AjaxHandler.php:42

Shortcodes 1

[flexible_refund_public] vendor_prefixed\wpdesk\flexible-refunds-core\src\Integration\PublicRefundShortcode.php:30
WordPress Hooks 50
actionadmin_initsrc\DeactivateFree.php:10
actionadmin_noticessrc\DeactivateFree.php:15
actionadmin_initsrc\Tracker\DeactivationTracker.php:33
filterwoocommerce_email_classesvendor_prefixed\wpdesk\flexible-refunds-core\src\Emails\RegisterEmails.php:10
actionadmin_menuvendor_prefixed\wpdesk\flexible-refunds-core\src\Integration\AdminMenu.php:10
actionadmin_menuvendor_prefixed\wpdesk\flexible-refunds-core\src\Integration\AdminMenu.php:11
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\flexible-refunds-core\src\Integration\Assets.php:40
actionwp_enqueue_scriptsvendor_prefixed\wpdesk\flexible-refunds-core\src\Integration\Assets.php:41
filterwoocommerce_my_account_my_orders_actionsvendor_prefixed\wpdesk\flexible-refunds-core\src\Integration\MyAccount.php:49
filterwoocommerce_get_query_varsvendor_prefixed\wpdesk\flexible-refunds-core\src\Integration\MyAccount.php:52
filterwpvendor_prefixed\wpdesk\flexible-refunds-core\src\Integration\MyAccount.php:53
filterwpvendor_prefixed\wpdesk\flexible-refunds-core\src\Integration\MyAccount.php:54
actionwpvendor_prefixed\wpdesk\flexible-refunds-core\src\Integration\MyAccount.php:55
actionadd_meta_boxesvendor_prefixed\wpdesk\flexible-refunds-core\src\Integration\OrderMetaBox.php:27
filterwoocommerce_order_note_classvendor_prefixed\wpdesk\flexible-refunds-core\src\Integration\OrderNote.php:12
filterwoocommerce_get_order_notevendor_prefixed\wpdesk\flexible-refunds-core\src\Integration\OrderNote.php:13
filterwpvendor_prefixed\wpdesk\flexible-refunds-core\src\Integration\PublicRefundShortcode.php:31
actioninitvendor_prefixed\wpdesk\flexible-refunds-core\src\Integration\RegisterOrderStatus.php:14
filterwc_order_statusesvendor_prefixed\wpdesk\flexible-refunds-core\src\Integration\RegisterOrderStatus.php:15
filterwoocommerce_get_settings_pagesvendor_prefixed\wpdesk\flexible-refunds-core\src\Settings\SettingsForm.php:18
filterwoocommerce_admin_settings_sanitize_option_fr_refund_form_buildervendor_prefixed\wpdesk\flexible-refunds-core\src\Settings\SettingsForm.php:19
actionwoocommerce_admin_field_form_builder_settingsvendor_prefixed\wpdesk\flexible-refunds-core\src\Settings\Tabs\FormBuilderTab.php:16
actionwoocommerce_admin_field_conditions_settingvendor_prefixed\wpdesk\flexible-refunds-core\src\Settings\Tabs\RefundOrderTab.php:17
actionwoocommerce_admin_field_auto_hide_settingvendor_prefixed\wpdesk\flexible-refunds-core\src\Settings\Tabs\RefundOrderTab.php:18
actionwoocommerce_admin_field_select_with_disablevendor_prefixed\wpdesk\flexible-refunds-core\src\Settings\Tabs\RefundOrderTab.php:19
actionwoocommerce_admin_field_post_selectvendor_prefixed\wpdesk\flexible-refunds-core\src\Settings\Tabs\RefundOrderTab.php:20
actionwoocommerce_admin_field_fr_support_settingsvendor_prefixed\wpdesk\flexible-refunds-core\src\Settings\Tabs\SupportTab.php:19
actionwp_dashboard_setupvendor_prefixed\wpdesk\ltv-dashboard-widget\src\DashboardWidget.php:102
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-builder\src\Plugin\AbstractPlugin.php:148
actionwp_enqueue_scriptsvendor_prefixed\wpdesk\wp-builder\src\Plugin\AbstractPlugin.php:149
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\AjaxHandler.php:41
actionadmin_noticesvendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\Notice.php:144
actionadmin_footervendor_prefixed\wpdesk\wp-notice\src\WPDesk\Notice\Notice.php:145
filterwp_autoloader_loader_loaders_to_loadvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\PluginDisablerByFileTrait.php:45
filterwp_autoloader_loader_loaders_to_createvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\PluginDisablerByFileTrait.php:46
actionplugins_loadedvendor_prefixed\wpdesk\wp-plugin-flow-common\src\Initialization\Simple\SimplePaidStrategy.php:58
actionplugins_loadedvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:81
actionbefore_woocommerce_initvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:88
actionactivated_pluginvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:102
filterdoing_it_wrong_trigger_errorvendor_prefixed\wpdesk\wp-plugin-flow-common\src\PluginBootstrap.php:123
actionadmin_print_styles-plugins.phpvendor_prefixed\wpdesk\wp-wpdesk-deactivation-modal\src\Service\AssetsPrinterService.php:26
actionadmin_print_footer_scripts-plugins.phpvendor_prefixed\wpdesk\wp-wpdesk-deactivation-modal\src\Service\AssetsPrinterService.php:27
actionadmin_print_footer_scripts-plugins.phpvendor_prefixed\wpdesk\wp-wpdesk-deactivation-modal\src\Service\TemplateGeneratorService.php:43
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-wpdesk-marketing\src\Boxes\Assets.php:16
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-wpdesk-marketing\src\Boxes\Assets.php:30
actionadmin_enqueue_scriptsvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\Assets.php:28
actionadmin_menuvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptInPage.php:35
actionadmin_initvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptInPage.php:36
actionadmin_noticesvendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\OptOut.php:28
filterplugin_row_metavendor_prefixed\wpdesk\wp-wpdesk-tracker\src\PSR\WPDesk\Tracker\PluginActionLinks.php:36
Maintenance & Trust

Flexible Refund and Return Order for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 7, 2026
PHP min version7.4
Downloads46K

Community Trust

Rating100/100
Number of ratings2
Active installs1K
Alternatives

Flexible Refund and Return Order for WooCommerce Alternatives

Smart Manager – Advanced WooCommerce Bulk Edit & Inventory Management

Smart Manager – Advanced WooCommerce Bulk Edit & Inventory Management

smart-manager-for-wp-e-commerce

A
94

WooCommerce Advanced Bulk Edit products, orders, & posts in an Excel-like sheet editor. Get advanced WooCommerce stock, pricing, & order management.

10K 4 CVEs
WC Cancel Order

WC Cancel Order

wc-cancel-order

A
100

Add order cancellation request functionality to your woocommerce powered store.

5K No CVEs
Return Refund and Exchange For WooCommerce

Return Refund and Exchange For WooCommerce

woo-refund-and-exchange-lite

A
92

Provide an easy refund service and increase customer satisfaction with WooCommerce Return Refund, and Exchange Warranty Management Plugin.

5K 5 CVEs
PiWeb Cancel order / Refund request for WooCommerce

PiWeb Cancel order / Refund request for WooCommerce

cancel-order-request-woocommerce

A
100

Order cancellation request / Refund request / Return order request. Repeat order option to customer for WooCommerce

2K 1 CVE
Prevent Customers To Cancel WooCommerce Orders

Prevent Customers To Cancel WooCommerce Orders

woo-prevent-cancel-order

A
85

This plugin prevents customers from cancelling a WooCommerce order. It will hide the Cancel button on My Account page for all user roles, except admin &hellip;

400 No CVEs
Developer Profile

Flexible Refund and Return Order for WooCommerce Developer Profile

wpdesk

23 plugins · 127K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
135 days
View full developer profile
Detection Fingerprints

How We Detect Flexible Refund and Return Order for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/flexible-refund-and-return-order-for-woocommerce/assets/css/settings.css/wp-content/plugins/flexible-refund-and-return-order-for-woocommerce/assets/js/settings.js/wp-content/plugins/flexible-refund-and-return-order-for-woocommerce/assets/css/marketing.css/wp-content/plugins/flexible-refund-and-return-order-for-woocommerce/assets/css/modal.css/wp-content/plugins/flexible-refund-and-return-order-for-woocommerce/assets/js/modal.js/wp-content/plugins/flexible-refund-and-return-order-for-woocommerce/assets/js/email-recipients.js/wp-content/plugins/flexible-refund-and-return-order-for-woocommerce/assets/css/meta-box.css/wp-content/plugins/flexible-refund-and-return-order-for-woocommerce/assets/js/meta-box.js+2 more
Script Paths
/wp-content/plugins/flexible-refund-and-return-order-for-woocommerce/assets/js/settings.js/wp-content/plugins/flexible-refund-and-return-order-for-woocommerce/assets/js/modal.js/wp-content/plugins/flexible-refund-and-return-order-for-woocommerce/assets/js/email-recipients.js/wp-content/plugins/flexible-refund-and-return-order-for-woocommerce/assets/js/meta-box.js/wp-content/plugins/flexible-refund-and-return-order-for-woocommerce/assets/js/front.js
Version Parameters
flexible-refund-and-return-order-for-woocommerce/assets/css/settings.css?ver=flexible-refund-and-return-order-for-woocommerce/assets/js/settings.js?ver=flexible-refund-and-return-order-for-woocommerce/assets/css/marketing.css?ver=flexible-refund-and-return-order-for-woocommerce/assets/css/modal.css?ver=flexible-refund-and-return-order-for-woocommerce/assets/js/modal.js?ver=flexible-refund-and-return-order-for-woocommerce/assets/js/email-recipients.js?ver=flexible-refund-and-return-order-for-woocommerce/assets/css/meta-box.css?ver=flexible-refund-and-return-order-for-woocommerce/assets/js/meta-box.js?ver=flexible-refund-and-return-order-for-woocommerce/assets/css/front.css?ver=flexible-refund-and-return-order-for-woocommerce/assets/js/front.js?ver=

HTML / DOM Fingerprints

CSS Classes
frc-admin-stylefrc-marketingfrc-modalfrc-email-recipientsfrc-meta-boxfrc-front
Data Attributes
data-tabdata-section
JS Globals
fr_fb_i18nfr_email_recipientsfr_meta_boxfr_front_i18n
FAQ

Frequently Asked Questions about Flexible Refund and Return Order for WooCommerce