Introduction
The WPForms plugin for WordPress has been identified with a critical security vulnerability, CVE-2024-11205 [1] [2] [4] [5] [6] [8] [9] [10] [11] [12], affecting versions 1.8.4 through 1.9.2.1 [1] [2] [3] [4] [5] [6] [7] [11] [12]. This vulnerability poses significant financial risks due to unauthorized payment refunds and subscription cancellations.
Description
The WPForms plugin for WordPress has a critical security vulnerability [3], tracked as CVE-2024-11205 [1] [2] [4] [5] [6] [9] [10] [12], affecting versions 1.8.4 through 1.9.2.1 [1] [2] [3] [4] [5] [6] [7] [11] [12]. This flaw, categorized as “Missing Authorization to Payment Refund and Subscription Cancellation,” allows authenticated users with Subscriber-level access or higher to execute unauthorized refunds through Stripe and cancel subscriptions due to inadequate capability checks in the plugin’s payment processes.
Specifically, the vulnerability arises from improper validation of user permissions within the wpformsisadminpage function and the SingleActionsHandler class, particularly in the ajaxsinglepaymentrefund() and ajaxsinglepaymentcancel() functions [5] [8], which are intended to be restricted to administrators [5] [8]. However, the wpformsisadminajax() function fails to enforce these restrictions, enabling attackers to bypass nonce protection by obtaining the nonce.
The severity of this oversight is underscored by its high CVSS score of 8.5, posing significant financial risks to businesses that rely on the plugin, especially given that WPForms is actively used on over six million websites, with approximately three million sites still running vulnerable versions. Attackers with at least Subscriber-level access can initiate unauthorized refunds for legitimate payments and cancel active subscriptions [4] [9], leading to potential financial harm and damaging customer relationships [5]. Although there is currently no evidence of exploitation [1], the potential for abuse remains a concern [1], as unauthorized transactions can lead to substantial financial losses. Affected businesses may incur additional operational costs while attempting to rectify issues caused by unauthorized refunds or cancellations [8].
To address this critical issue, developers at Awesome Motive released a patch in version 1.9.2.2 on November 18, 2024, and users are strongly urged to update immediately to protect against potential revenue loss and enhance site security [12]. Despite the availability of the fix [10], approximately half of WPForms users have not upgraded [10], leaving around three million websites at risk [2] [10]. A security alert has been issued regarding the missing authorization for authenticated users (Subscriber+) concerning payment refunds and subscription cancellations [3], emphasizing the urgency of addressing this vulnerability.
Early protection measures were provided to Wordfence Premium [6], Care [1] [5] [6] [7] [8] [10] [11] [12], and Response users on November 15, 2024 [6], with free users set to receive it on December 15, 2024. Additionally, WordPress site administrators should conduct comprehensive security audits, review user roles and permissions to ensure that only trusted individuals have access to sensitive functions [8], and regularly update the plugin while monitoring for suspicious activity [8]. Implementing additional security measures [7], such as two-factor authentication [7], is also recommended to enhance protection against potential exploitation and maintain the security and integrity of affected websites.
Conclusion
The WPForms vulnerability presents a significant threat to financial security and customer trust for businesses using the plugin. Immediate action is required to mitigate these risks, including updating to the latest version [2] [4] [10], conducting security audits, and implementing additional protective measures. The situation underscores the importance of maintaining up-to-date security practices to safeguard against future vulnerabilities.
References
[1] https://www.techradar.com/pro/security/security-flaw-in-top-wordpress-plugin-could-allow-for-stripe-refunds-on-millions-of-sites
[2] https://www.newsminimalist.com/articles/security-flaw-in-wpforms-plugin-exposes-millions-of-wordpress-sites-to-unauthorized-stripe-refunds-2fe795db
[3] https://www.isss.org.uk/news/wpforms-plugin-vulnerability-affects-up-to-6-million-sites/
[4] https://osintcorp.net/cve-2024-11205-vulnerability-impacts-6m-wordpress-sites/
[5] https://thecyberexpress.com/cve-2024-11205-vulnerability/
[6] https://gbhackers.com/wpforms-vulnerability/
[7] https://www.malcare.com/blog/wpforms-missing-authorization-check/
[8] https://cybermaterial.com/wpforms-flaw-exposes-6-million-websites/
[9] https://quantribaomat.com/wpforms-vulnerability-let-users-issues-subscription-payments
[10] https://www.abijita.com/high-severity-vulnerability-in-wpforms-plugin-could-impact-over-6-million-websites/
[11] https://www.heise.de/en/news/Wordpress-WPForms-plug-in-tears-security-hole-in-6-million-websites-10193433.html
[12] https://wptavern.com/wpforms-plugin-patches-vulnerability-affecting-stripe-payments-and-subscriptions
