Critical WordPress Flaw: 6M+ Sites at Risk from WPForms Stripe Refund Exploit

Critical WordPress Flaw: 6M+ Sites at Risk from WPForms Stripe Refund Exploit

Critical Vulnerability Discovered in Popular WordPress Plugin WPForms

A significant security flaw (CVE-2024-11205) has been identified in WPForms, affecting versions 1.8.4 through 1.9.2.1 of the widely-used WordPress plugin. The vulnerability enables subscriber-level users to unauthorized issue Stripe refunds and cancel subscriptions, potentially impacting over 6 million websites.

The Security Flaw
The vulnerability stems from inadequate authentication checks in the ‘wpforms_is_admin_ajax()’ function, which fails to properly verify user permissions for administrative actions. This oversight allows any authenticated user to access sensitive payment management functions typically reserved for administrators.

Impact and Scope
– Affects both WPForms Pro and WPForms Lite versions
– Enables unauthorized Stripe refund processing
– Allows malicious subscription cancellations
– Potentially impacts millions of WordPress websites
– Could result in significant revenue loss and business disruption

Resolution and Timeline
– Discovered by researcher ‘vullu164’ through Wordfence’s bug bounty program
– Reported on November 8, 2024
– Fixed in version 1.9.2.2 (released November 18)
– Patch implements proper capability checks and authorization mechanisms

Recommended Actions
Website owners using WPForms should immediately:
1. Upgrade to version 1.9.2.2
2. Alternatively, disable the plugin if immediate updating isn’t possible

While no active exploitations have been reported, the widespread use of WPForms makes this vulnerability a significant security concern requiring prompt attention.

Share This Article