WPForms Vulnerability Exposes Millions of WordPress Sites to Stripe Refund Exploits

A high-severity vulnerability in the WPForms plugin, used by over 6 million WordPress sites, allows subscriber-level users to issue unauthorized Stripe refunds or cancel subscriptions. Identified as CVE-2024-11205, the flaw impacts WPForms versions 1.8.4 through 1.9.2.1 and results from improper checks in the 'wpforms_is_admin_ajax()' function, which fails to verify user roles or permissions.

This flaw enables any authenticated user to exploit sensitive AJAX functions, potentially causing significant revenue losses and customer trust issues for affected site owners. The issue has been patched in version 1.9.2.2, released after security researcher 'vullu164' reported the bug through Wordfence's bounty program.

Despite the fix, approximately half of WPForms users remain on outdated versions, leaving over 3 million sites potentially vulnerable. While there is no evidence of active exploitation yet, site administrators are strongly advised to upgrade to the latest version or temporarily disable the plugin to mitigate risks.

Read more...

Read More

Comments

Loading... Logging you in...
  • Logged in as
There are no comments posted yet. Be the first one!

Post a new comment

Comments by