CVE-2024-11205: Urgent Update for WPForms to Prevent Financial Losses
A vulnerability in the widely-used WordPress plugin WPForms, installed on over 6 million websites, allows users with “subscriber” privileges to initiate arbitrary Stripe refunds or cancel paid subscriptions.
Stripe, a renowned platform for processing online payments and managing financial transactions, is extensively employed by businesses, e-commerce platforms, and startups for handling payments through credit cards, digital wallets, and other methods.
This flaw, identified as CVE-2024-11205, has been assigned a CVSS score of 8.5. While not deemed critical due to the requirement for user authentication, the membership systems prevalent on many websites significantly lower the barrier for exploiting this vulnerability.
WPForms, a plugin designed for creating contact forms, subscription forms, and payment interfaces, supports integrations with Stripe, PayPal, and other services. Its free version is active on millions of websites.
The vulnerability stems from improper use of the “wpforms_is_admin_ajax()” function to identify administrative AJAX requests. This function fails to verify user permissions, thereby allowing even subscribers to execute actions such as initiating refunds or canceling subscriptions. Exploiting CVE-2024-11205 could result in financial losses, website disruptions, and diminished user trust.
The issue was discovered by security researcher “vullu164,” who reported it through Wordfence’s vulnerability disclosure program and received a $2,376 reward. Wordfence validated the vulnerability and forwarded the findings to Awesome Motive, the plugin’s developer.
On November 18, 2024, Awesome Motive released the patched version 1.9.2.2, incorporating access permission checks. However, according to WordPress.org statistics, nearly half of the sites using WPForms have yet to update to the 1.9.x branch, leaving at least 3 million websites exposed.
Although no active exploitation of the vulnerability has been observed, users of WPForms are strongly urged to update to version 1.9.2.2 or temporarily disable the plugin to mitigate potential risks.
