Awesome Motive’s WP Forms plugin has patched a Missing Authorization to Payment Refund and Subscription Cancellation vulnerability. This issue allowed authenticated attackers with Subscriber-level access or higher to refund Stripe payments and cancel subscriptions without proper authorization.
Wordfence reports that “The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘wpforms_is_admin_page’ function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.”
Researchers have classified the vulnerability (CVE-2024-11205) as “High,” with a CVSS score of 8.5. The vulnerability researcher István Márton’s post has more technical details about the plugin’s vulnerability.
Researcher Villu Orav, who initially discovered and reported the vulnerability via the Wordfence Bug Bounty Program, earned recognition as Wordfence’s first recipient of the WordPress Superhero badge. Orav also received a $ 2,376 bounty for his discovery.
WPForms is a widely used plugin with over 6 million active installations, making this patch particularly critical. Users are strongly advised to update to the patched version, 1.9.2.2, to safeguard against potential revenue loss and ensure site security.
WP Tavern
Leave a Reply
You must be logged in to post a comment.