WPForms Vulnerability Let Users Issues Subscription Payments

A critical security vulnerability, tracked as CVE-2024-11205, was recently discovered in the popular WordPress plugin, WPForms, which boasts over 6 million active installations globally.

This flaw, identified by researcher villu164 through the Wordfence Bug Bounty Program, allows authenticated users with at least subscriber-level permissions to issue unauthorized refunds for Stripe payments and cancel Stripe subscriptions.

The vulnerability, categorized under “Missing Authorization to Payment Refund and Subscription Cancellation,” impacts WPForms plugin versions 1.8.4 through 1.9.2.1.

Given its high severity with a CVSS score of 8.5, this flaw could lead to financial losses for businesses relying on WPForms to manage payments and subscriptions.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Technical Details

WPForms is widely used to create forms, including payment and subscription forms, utilizing a drag-and-drop builder.

The vulnerability lies in the inadequate authorization checks within the plugin’s Stripe payment refund and subscription cancellation processes.

Key functions in question are:

1. ajax_single_payment_refund()
2. ajax_single_payment_cancel()

While a nonce protects these functions, they lack proper capability checks. Consequently, authenticated users with lower permissions (such as subscribers) can exploit this vulnerability.

Below is a snippet from the plugin’s vulnerable code:

public function ajax_single_payment_refund() {
    if ( ! isset( $_POST['payment_id'] ) ) {
        wp_send_json_error( [ 'message' => esc_html__( 'Missing payment ID.', 'wpforms-lite' ) ] );
    }
    $this->check_payment_collection_type(); 
    check_ajax_referer( 'wpforms-admin', 'nonce' ); 
    $payment_id = (int) $_POST['payment_id']; 
    $payment_db = wpforms()->obj( 'payment' )->get( $payment_id ); 
    if ( empty( $payment_db ) ) { 
        wp_send_json_error( [ 'message' => esc_html__( 'Payment not found in the database.', 'wpforms-lite' ) ] ); 
    }
    $args = [ 
        'metadata' => [ 'refunded_by' => 'wpforms_dashboard', ], 
        'reason' => 'requested_by_customer', 
    ]; 
    $refund = $this->payment_intents->refund_payment( $payment_db->transaction_id, $args ); 
}

The above code highlights how attackers can misuse the AJAX function without sufficient capability checks. Similar issues exist in the ajax_single_payment_cancel() function, enabling subscription cancellation.

Users of affected WPForms plugin versions (1.8.4 to 1.9.2.1) are urged to update to version 1.9.2.2 to mitigate this critical vulnerability immediately.

Wordfence Premium, Care, and Response users gained early protection on November 15, 2024, while free users will receive it on December 15, 2024.

Investigate Real-World Malicious Links,Malware & Phishing Attacks With ANY.RUN - Try for Free