Vulnerability

WPForms Vulnerability Let Users Issues Subscription Payments

A critical security vulnerability, tracked as CVE-2024-11205, was recently discovered in the popular WordPress plugin, WPForms, which boasts over 6 million active installations globally.

This flaw, identified by researcher villu164 through the Wordfence Bug Bounty Program, allows authenticated users with at least subscriber-level permissions to issue unauthorized refunds for Stripe payments and cancel Stripe subscriptions.

The vulnerability, categorized under “Missing Authorization to Payment Refund and Subscription Cancellation,” impacts WPForms plugin versions 1.8.4 through 1.9.2.1.

Given its high severity with a CVSS score of 8.5, this flaw could lead to financial losses for businesses relying on WPForms to manage payments and subscriptions.

Leveraging 2024 MITRE ATT&CK Results for SME & MSP Cybersecurity Leaders – Attend Free Webinar

Technical Details

WPForms is widely used to create forms, including payment and subscription forms, utilizing a drag-and-drop builder.

The vulnerability lies in the inadequate authorization checks within the plugin’s Stripe payment refund and subscription cancellation processes.

Key functions in question are:

  1. ajax_single_payment_refund()
  2. ajax_single_payment_cancel()

While a nonce protects these functions, they lack proper capability checks. Consequently, authenticated users with lower permissions (such as subscribers) can exploit this vulnerability.

Below is a snippet from the plugin’s vulnerable code:

public function ajax_single_payment_refund() {
    if ( ! isset( $_POST['payment_id'] ) ) {
        wp_send_json_error( [ 'message' => esc_html__( 'Missing payment ID.', 'wpforms-lite' ) ] );
    }
    $this->check_payment_collection_type(); 
    check_ajax_referer( 'wpforms-admin', 'nonce' ); 
    $payment_id = (int) $_POST['payment_id']; 
    $payment_db = wpforms()->obj( 'payment' )->get( $payment_id ); 
    if ( empty( $payment_db ) ) { 
        wp_send_json_error( [ 'message' => esc_html__( 'Payment not found in the database.', 'wpforms-lite' ) ] ); 
    }
    $args = [ 
        'metadata' => [ 'refunded_by' => 'wpforms_dashboard', ], 
        'reason' => 'requested_by_customer', 
    ]; 
    $refund = $this->payment_intents->refund_payment( $payment_db->transaction_id, $args ); 
}

The above code highlights how attackers can misuse the AJAX function without sufficient capability checks. Similar issues exist in the ajax_single_payment_cancel() function, enabling subscription cancellation.

Users of affected WPForms plugin versions (1.8.4 to 1.9.2.1) are urged to update to version 1.9.2.2 to mitigate this critical vulnerability immediately.

Wordfence Premium, Care, and Response users gained early protection on November 15, 2024, while free users will receive it on December 15, 2024.

Investigate Real-World Malicious Links,Malware & Phishing Attacks With ANY.RUN - Try for Free

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

Threat Actors Attacking U.S. Citizens Via Social Engineering Attack

As Tax Day on April 15 approaches, a alarming cybersecurity threat has emerged targeting U.S.…

4 hours ago

TerraStealer Strikes: Browser Credential & Sensitive‑Data Heists on the Rise

Insikt Group has uncovered two new malware families, TerraStealerV2 and TerraLogger, attributed to the notorious…

5 hours ago

MintsLoader Malware Uses Sandbox and Virtual Machine Evasion Techniques

MintsLoader, a malicious loader first observed in 2024, has emerged as a formidable tool in…

8 hours ago

Threat Actors Use AiTM Attacks with Reverse Proxies to Bypass MFA

Cybercriminals are intensifying their efforts to undermine multi-factor authentication (MFA) through adversary-in-the-middle (AiTM) attacks, leveraging…

9 hours ago

Threat Actors Target Critical National Infrastructure with New Malware and Tools

A recent investigation by the FortiGuard Incident Response (FGIR) team has uncovered a sophisticated, long-term…

10 hours ago

New StealC V2 Upgrade Targets Microsoft Installer Packages and PowerShell Scripts

StealC, a notorious information stealer and malware downloader first sold in January 2023, has rolled…

11 hours ago