Unauthorized Data Modification in WPForms Plugin for WordPress
CVE-2024-11205

8.5HIGH

Key Information:

Vendor
Wordpress
Status
WPforms – Easy Form Builder For WordPress – Contact Forms, Payment Forms, Surveys, & More
Vendor
CVE Published:
10 December 2024

Badges

👾 Exploit Exists📰 News Worthy

What is CVE-2024-11205?

CVE-2024-11205 is a vulnerability found in the WPForms plugin for WordPress, which plays a crucial role in form creation and management for websites. Specifically, this vulnerability arises from a lack of proper capability checks within the plugin, particularly in the 'wpforms_is_admin_page' function. The flaw permits authenticated users with Subscriber-level access and above to make unauthorized changes, such as issuing refunds for payments and canceling subscriptions. This weakness can severely compromise an organization’s financial integrity and customer trust, especially for those heavily relying on the plugin for managing payments.

Technical Details

The vulnerability affects WPForms package versions starting from 1.8.4 up to 1.9.2.1. The missing capability check means that the appropriate permissions were not enforced for certain administrative actions, enabling authenticated users to perform restricted operations. As this issue centers around access control failure, it highlights a significant security oversight, allowing users to manipulate sensitive data without appropriate validation.

Impact of the Vulnerability

  1. Financial Loss: The ability for unauthorized users to refund payments and cancel subscriptions can lead to significant financial repercussions for businesses, potentially resulting in direct monetary loss and affecting overall revenue streams.

  2. Customer Trust Erosion: Organizations that experience unauthorized modifications in financial transactions may find their reputation severely damaged, leading to a loss of customer trust and loyalty, which can have long-term consequences on customer relationships.

  3. Increased Attack Surface: The existence of this vulnerability broadens the potential attack vectors for adversaries, especially if exploited alongside other vulnerabilities, which can be detrimental to the overall cybersecurity posture of the affected organizations.

Affected Version(s)

WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More 1.8.4 <= 1.9.2.1

News Articles

favicon imageBleepingComputer

WPForms bug allows Stripe refunds on millions of WordPress sites

A vulnerability in WPForms, a WordPress plugin used in over 6 million websites, could allow subscriber-level users to issue arbitrary Stripe refunds or cancel subscriptions.

2 months ago

favicon imageThe Cyber Express

CVE-2024-11205 Vulnerability Impacts 6M WordPress Sites

CVE-2024-11205 exposes WPForms to unauthorized Stripe refunds and subscription cancellations.

2 months ago

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/wpforms-lite/t...
https://plugins.trac.wordpress.org/browser/wpforms-lite/t...

CVSS V3.1

Score:
8.5
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • 👾

    Exploit known to exist

  • 📰

    First article discovered by The Cyber Express

  • Vulnerability published

  • Vulnerability Reserved

Credit

Villu Orav
.