Thursday, January 23, 2025
HomeCVE/vulnerabilityWPForms Vulnerability Let Users Issues Subscription Payments

WPForms Vulnerability Let Users Issues Subscription Payments

Published on

SIEM as a Service

Follow Us on Google News

A critical security vulnerability, tracked as CVE-2024-11205, was recently discovered in the popular WordPress plugin, WPForms, which boasts over 6 million active installations globally.

This flaw, identified by researcher villu164 through the Wordfence Bug Bounty Program, allows authenticated users with at least subscriber-level permissions to issue unauthorized refunds for Stripe payments and cancel Stripe subscriptions.

The vulnerability, categorized under “Missing Authorization to Payment Refund and Subscription Cancellation,” impacts WPForms plugin versions 1.8.4 through 1.9.2.1.

Given its high severity with a CVSS score of 8.5, this flaw could lead to financial losses for businesses relying on WPForms to manage payments and subscriptions.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Technical Details

WPForms is widely used to create forms, including payment and subscription forms, utilizing a drag-and-drop builder.

The vulnerability lies in the inadequate authorization checks within the plugin’s Stripe payment refund and subscription cancellation processes.

Key functions in question are:

  1. ajax_single_payment_refund()
  2. ajax_single_payment_cancel()

While a nonce protects these functions, they lack proper capability checks. Consequently, authenticated users with lower permissions (such as subscribers) can exploit this vulnerability.

Below is a snippet from the plugin’s vulnerable code:

public function ajax_single_payment_refund() {
    if ( ! isset( $_POST['payment_id'] ) ) {
        wp_send_json_error( [ 'message' => esc_html__( 'Missing payment ID.', 'wpforms-lite' ) ] );
    }
    $this->check_payment_collection_type(); 
    check_ajax_referer( 'wpforms-admin', 'nonce' ); 
    $payment_id = (int) $_POST['payment_id']; 
    $payment_db = wpforms()->obj( 'payment' )->get( $payment_id ); 
    if ( empty( $payment_db ) ) { 
        wp_send_json_error( [ 'message' => esc_html__( 'Payment not found in the database.', 'wpforms-lite' ) ] ); 
    }
    $args = [ 
        'metadata' => [ 'refunded_by' => 'wpforms_dashboard', ], 
        'reason' => 'requested_by_customer', 
    ]; 
    $refund = $this->payment_intents->refund_payment( $payment_db->transaction_id, $args ); 
}

The above code highlights how attackers can misuse the AJAX function without sufficient capability checks. Similar issues exist in the ajax_single_payment_cancel() function, enabling subscription cancellation.

Users of affected WPForms plugin versions (1.8.4 to 1.9.2.1) are urged to update to version 1.9.2.2 to mitigate this critical vulnerability immediately.

Wordfence Premium, Care, and Response users gained early protection on November 15, 2024, while free users will receive it on December 15, 2024.

Investigate Real-World Malicious Links,Malware & Phishing Attacks With ANY.RUN - Try for Free

Divya
Divya
Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Latest articles

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

New Cookie Sandwich Technique Allows Stealing of HttpOnly Cookies

The "Cookie Sandwich Attack" showcases a sophisticated way of exploiting inconsistencies in cookie parsing...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Critical Vulnerability in Next.js Framework Exposes Websites to Cache Poisoning and XSS Attacks

A new report has put the spotlight on potential security vulnerabilities within the popular...

GhostGPT – Jailbreaked ChatGPT that Creates Malware & Exploits

Artificial intelligence (AI) tools have revolutionized how we approach everyday tasks, but they also...

Tycoon 2FA Phishing Kit Using Specially Crafted Code to Evade Detection

The rapid evolution of Phishing-as-a-Service (PhaaS) platforms is reshaping the threat landscape, enabling attackers...