A critical security flaw in WPForms, a popular WordPress plugin active on over 6 million websites, could let low-privilege users like subscribers issue unauthorized Stripe refunds or cancel subscriptions.

Tracked as CVE-2024-11205, this vulnerability is classified as high-severity due to its exploitability on membership-enabled websites.

The issue affects WPForms versions from 1.8.4 to 1.9.2.1, with a patch provided in version 1.9.2.2, released in November 2024. WPForms, a widely used drag-and-drop form builder, supports integration with major payment platforms like Stripe, PayPal, and Square. The plugin is available in premium (WPForms Pro) and free (WPForms Lite) versions, the latter being the more widely used.

The flaw originates from improperly validating admin-level AJAX calls through the wpforms_is_admin_ajax() function. This function verifies if a request comes from an admin path but fails to enforce user role or capability checks. As a result, even basic subscribers can execute sensitive actions like refunding payments or canceling subscriptions via functions such as ajax_single_payment_refund() and ajax_single_payment_cancel().

Buy Me a Coffee

Security researcher vullu164 identified the vulnerability and reported it through Wordfence’s bug bounty program, earning a $2,376 reward. After confirming the issue, Wordfence disclosed the details to WPForms’ developer, Awesome Motive, on November 14, 2024. The patched version, 1.9.2.2, includes stricter capability checks to prevent unauthorized access.

Despite the fix, Wordfence reports that about half of WPForms users have not upgraded to the latest release branch, leaving an estimated 3 million websites vulnerable. Although no active exploitation has been detected yet, website owners are strongly urged to update to the latest version or temporarily disable the plugin to safeguard their sites.

READ
Critical Security Flaws Discovered in Popular WordPress Real Estate Tools

This incident highlights the importance of timely plugin updates to mitigate potential security risks that could disrupt business operations or erode customer trust.