A recently discovered high-severity vulnerability in the WordPress WPForms plugin allows attackers with subscriber-level access to refund Stripe payments and cancel Stripe subscriptions without proper authorization. The flaw has been patched by the vendor, and users are strongly advised to update to version 1.9.2.2 to mitigate risks.
The vulnerability, identified as CVE-2024-11205, was uncovered by security researcher villu164, who reported it to Wordfence on October 23, 2024 via their Bug Bounty Program. Following a detailed analysis, Wordfence confirmed the issue and disclosed the findings to WPForms' developer, Awesome Motive, on November 14, 2024. A patch was promptly released on November 18, 2024.
Performing arbitrary refunds
WPForms is a widely used WordPress plugin that simplifies the creation of forms for payments, surveys, subscriptions, and more through a drag-and-drop interface. A critical flaw in its code left six million websites using it vulnerable to exploitation. Specifically, the vulnerability was rooted in the plugin's ajax_single_payment_refund() and ajax_single_payment_cancel() functions, which manage essential payment actions for Stripe transactions.
These functions failed to include proper capability checks, allowing authenticated users with even low-level subscriber permissions to execute arbitrary actions. Although nonce protections were in place, authenticated attackers could access the required nonce, bypassing the intended safeguards. As a result, malicious users could issue unauthorized refunds or cancel active subscriptions, undermining the financial integrity of affected websites.
The potential consequences for website owners are severe. In scenarios where attackers systematically exploit this flaw, businesses could face substantial revenue losses. For example, unauthorized refunds could erase income from completed transactions, while subscription cancellations could disrupt recurring revenue streams essential to many online businesses. Beyond financial implications, such attacks could erode trust between companies and their customers, particularly if legitimate users experience disruptions in their subscriptions or payments.
Website owners are recommended to update to WPForms version 1.9.2.2 immediately, or disable the plugin to mitigate the risk. The vulnerability is exploitable from the subscriber role, so there's plenty of potential for exploitation in most websites that offer membership schemes. This flaw is less of a risk to users, as the worst-case scenario for them would be to have their subscription canceled.
Senior Dating and Ladies.com App Breaches Expose 917k User Records
Leave a Reply