Vulnerability

WPForms Vulnerability Let Users Issues Subscription Payments

A critical security vulnerability, tracked as CVE-2024-11205, was recently discovered in the popular WordPress plugin, WPForms, which boasts over 6 million active installations globally.

This flaw, identified by researcher villu164 through the Wordfence Bug Bounty Program, allows authenticated users with at least subscriber-level permissions to issue unauthorized refunds for Stripe payments and cancel Stripe subscriptions.

The vulnerability, categorized under “Missing Authorization to Payment Refund and Subscription Cancellation,” impacts WPForms plugin versions 1.8.4 through 1.9.2.1.

Given its high severity with a CVSS score of 8.5, this flaw could lead to financial losses for businesses relying on WPForms to manage payments and subscriptions.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Technical Details

WPForms is widely used to create forms, including payment and subscription forms, utilizing a drag-and-drop builder.

The vulnerability lies in the inadequate authorization checks within the plugin’s Stripe payment refund and subscription cancellation processes.

Key functions in question are:

  1. ajax_single_payment_refund()
  2. ajax_single_payment_cancel()

While a nonce protects these functions, they lack proper capability checks. Consequently, authenticated users with lower permissions (such as subscribers) can exploit this vulnerability.

Below is a snippet from the plugin’s vulnerable code:

public function ajax_single_payment_refund() {
    if ( ! isset( $_POST['payment_id'] ) ) {
        wp_send_json_error( [ 'message' => esc_html__( 'Missing payment ID.', 'wpforms-lite' ) ] );
    }
    $this->check_payment_collection_type(); 
    check_ajax_referer( 'wpforms-admin', 'nonce' ); 
    $payment_id = (int) $_POST['payment_id']; 
    $payment_db = wpforms()->obj( 'payment' )->get( $payment_id ); 
    if ( empty( $payment_db ) ) { 
        wp_send_json_error( [ 'message' => esc_html__( 'Payment not found in the database.', 'wpforms-lite' ) ] ); 
    }
    $args = [ 
        'metadata' => [ 'refunded_by' => 'wpforms_dashboard', ], 
        'reason' => 'requested_by_customer', 
    ]; 
    $refund = $this->payment_intents->refund_payment( $payment_db->transaction_id, $args ); 
}

The above code highlights how attackers can misuse the AJAX function without sufficient capability checks. Similar issues exist in the ajax_single_payment_cancel() function, enabling subscription cancellation.

Users of affected WPForms plugin versions (1.8.4 to 1.9.2.1) are urged to update to version 1.9.2.2 to mitigate this critical vulnerability immediately.

Wordfence Premium, Care, and Response users gained early protection on November 15, 2024, while free users will receive it on December 15, 2024.

Investigate Real-World Malicious Links,Malware & Phishing Attacks With ANY.RUN - Try for Free

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Hackers Target Mobile Users Using PWA JavaScript to Bypass Browser Security

A sophisticated new injection campaign has been uncovered, targeting mobile users through malicious third-party JavaScript…

1 hour ago

Docker Zombie Malware Infects Containers for Crypto Mining and Self-Replication

A novel malware campaign targeting containerized infrastructures has emerged, exploiting insecurely exposed Docker APIs to…

1 hour ago

Hackers Masquerade as Organizations to Steal Payroll Logins and Redirect Payments from Employees

ReliaQuest, hackers have deployed a cunning search engine optimization (SEO) poisoning scheme to orchestrate payroll…

2 hours ago

PupkinStealer Exploits Web Browser Passwords and App Tokens to Exfiltrate Data Through Telegram

A newly identified .NET-based information-stealing malware, dubbed PupkinStealer (also known as PumpkinStealer in some reports),…

2 hours ago

71 Fake Websites Impersonating German Retailer to Steal Payment Information

Recorded Future Payment Fraud Intelligence has uncovered a sprawling network of 71 fraudulent e-commerce domains…

3 hours ago

New Scan Uncovers 150K Industrial Systems Worldwide Vulnerable to Cyberattacks

A groundbreaking study leveraging advanced application-layer scanning has exposed approximately 150,000 industrial control systems (ICS)…

3 hours ago