A critical security vulnerability has been discovered in WPForms, a popular form builder plugin used by over 6 million WordPress websites. The flaw, identified as CVE-2024-11205, allows attackers with subscriber-level access (the lowest user role) to issue unauthorized refunds and cancel Stripe subscriptions.
Exploiting the Vulnerability:
The vulnerability stems from a coding error in the plugin’s permission checks. While the plugin verifies if a request originates from the admin panel, it fails to ensure the user has the necessary permissions to perform actions like issuing refunds. This allows any authenticated user, including subscribers, to exploit specific functions within the plugin and manipulate Stripe transactions.
The consequences of this vulnerability can be severe for website owners. Attackers could potentially:
- Steal Revenue: By issuing fraudulent refunds through the compromised plugin, attackers can steal money from legitimate transactions.
- Disrupt Business: Canceling subscriptions can disrupt customer service and harm a business’s cash flow.
- Damage Trust: Unauthorized manipulation of payment systems can erode customer trust and damage a company’s reputation.
The good news is that a patch has already been released. WPForms version 1.9.2.2 addresses the vulnerability by implementing proper authorization mechanisms. Website owners using WPForms, especially the free Lite version, are urged to update to the latest version immediately.
While an update exists, security researchers estimate that at least 3 million websites remain vulnerable as they are not running the latest version of the plugin. It is crucial for website owners to prioritize updating WPForms or disabling the plugin until the patch is applied.
This incident highlights the importance of maintaining updated plugins and software. Regularly review security reports and implement recommended patches promptly to minimize your website’s vulnerability to attacks.