Cancel

Jyolsna

WPForms Plugin Patches Vulnerability Affecting Stripe Payments and Subscriptions

Awesome Motive’s WP Forms plugin has patched a Missing Authorization to Payment Refund and Subscription Cancellation vulnerability. This issue allowed authenticated attackers with Subscriber-level access or higher to refund Stripe payments and cancel subscriptions without proper authorization.

Wordfence reports that “The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘wpforms_is_admin_page’ function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.”

Researchers have classified the vulnerability (CVE-2024-11205) as “High,” with a CVSS score of 8.5. The vulnerability researcher István Márton’s post has more technical details about the plugin’s vulnerability.

Researcher Villu Orav, who initially discovered and reported the vulnerability via the Wordfence Bug Bounty Program, earned recognition as Wordfence’s first recipient of the WordPress Superhero badge. Orav also received a $2,376 bounty for his discovery.

WPForms is a widely used plugin with over 6 million active installations, making this patch particularly critical. Users are strongly advised to update to the patched version, 1.9.2.2, to safeguard against potential revenue loss and ensure site security.

Category: ,
Tags: ,

SHARE THIS:

LIKE THIS

1 Comment

1 Comments

  • Author
    Posts
    • Plugin Vulnerabilities
      December 10, 2024 at 2:43 PMView in Forum

      The changelog for version 1.9.2.2 is missing any mention that there was a security vulnerability fixed. That is a reoccurring issue with Awesome Motive.

      One reason why it is important to disclose security fixes in the changelog is so that others vet the changes to make sure they are complete. That clearly wasn’t done by Awesome Motive or Wordfence, as a quick check of the plugin shows it is still missing capability checks on other AJAX accessible functions.

      Making this all worse is that the Security Reviewer on the Plugin Review Team is an Awesome Motive employee.

      It would be great if you followed up with Awesome Motive and Wordfence on why they didn’t make sure the issue was fully addressed and how they are going to improve to avoid that happening again.

      Reply
  • Author
    Posts

View in Forum

  • The topic ‘WPForms Plugin Patches Vulnerability Affecting Stripe Payments and Subscriptions’ is closed to new replies.

You may also like

Newsletter

Subscribe Via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Get updates from WP Tavern

Subscribe now to receive email updates directly in your inbox.

Continue reading