CVE-2024-13641

MEDIUM 5.9

Return Refund and Exchange For WooCommerce <= 4.4.5 - Unauthenticated Sensitive Information Exposure Through Unprotected Directory

CVSS Score

5.9

EPSS Score

0.0%

EPSS Percentile

0th

The Return Refund and Exchange For WooCommerce – Return Management System, RMA Exchange, Wallet And Cancel Order Features plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.4.5 via the 'attachment' directory. This makes it possible for unauthenticated attackers to extract sensitive data stored insecurely in the /wp-content/attachment directory which can contain file attachments for order refunds.

CWE	CWE-200
Vendor	wpswings
Product	return refund and exchange for woocommerce
Published	Feb 14, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for wpswings return refund and exchange for woocommerce

Be the first to know when new medium vulnerabilities affecting wpswings return refund and exchange for woocommerce are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

wpswings / Return Refund and Exchange For WooCommerce

0 ≤ 4.4.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/5f88a21d-28a9-4c91-9bf9-6b69f6a420e8?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/woo-refund-and-exchange-lite/trunk/common/class-woo-refund-and-exchange-lite-common.php#L127 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3236486/

Credits

Tim Coen