WPForms bug allows Stripe refunds on millions of WordPress sites

by

WPForms bug allows Stripe refunds on millions of WordPress sites

December 10, 2024 at 03:00PM

A vulnerability in WPForms, affecting over 3 million sites, allows subscriber users to issue unauthorized Stripe refunds or cancel subscriptions (CVE-2024-11205). A fix was released in version 1.9.2.2. Website owners are advised to upgrade or disable the plugin to prevent potential exploitation and revenue loss.

### Meeting Summary on WPForms Vulnerability (CVE-2024-11205)

**Overview of Vulnerability:**
– WPForms, a popular WordPress plugin, has a high-severity vulnerability (CVE-2024-11205) affecting versions 1.8.4 to 1.9.2.1.
– Exploitation could allow subscriber-level users to issue arbitrary Stripe refunds or cancel subscriptions due to an improper check in the ‘wpforms_is_admin_ajax()’ function.

**Key Details:**
– **Exploit Mechanism:** The flaw allows any authenticated user (including subscribers) to invoke sensitive AJAX functions (`ajax_single_payment_refund()` and `ajax_single_payment_cancel()`), potentially leading to significant financial losses and customer trust issues.
– **Affected Versions:** The vulnerability impacts all versions from 1.8.4 to 1.9.2.1. A patch was released in version 1.9.2.2 on November 18, 2024, which includes proper capability checks and authorization mechanisms.
– **User Adoption Concern:** Approximately 50% of WPForms users are not on the latest update, leaving around 3 million websites potentially vulnerable.

**Discovery and Response:**
– The vulnerability was discovered by security researcher ‘vullu164’ and reported through Wordfence’s bug bounty program.
– Wordfence validated the exploit and communicated with the vendor, Awesome Motive, who promptly released the patch.

**Recommendations:**
– Website owners are advised to upgrade to version 1.9.2.2 immediately or disable the plugin to mitigate the risks associated with this vulnerability.
– Currently, there are no reported cases of active exploitation in the wild by Wordfence.

**Action Items:**
– Ensure that all installations of WPForms are updated to version 1.9.2.2 or the plugin is disabled.
– Monitor for updates and further security advisories related to WPForms and similar vulnerabilities.

Full Article