Overview
The Indian Pc Emergency Response Workforce (CERT-In) has issued an alert relating to a essential safety vulnerability within the WPForms plugin for WordPress. The flaw, recognized as CVE-2024-11205, may enable attackers to bypass authorization controls and carry out cost refunds and subscription cancellations on Stripe-powered web sites.
This WPForms plugin vulnerability, affecting WPForms variations 1.8.4 via 1.9.2.1, leaves WordPress websites weak to exploitation by authenticated customers with lower-level permissions. The vulnerability was disclosed publicly on December 9, 2024, by Wordfence researchers, and a patch was made out there in WPForms model 1.9.2.2.
The flaw stems from the absence of a functionality verify within the wpforms_is_admin_page perform. This perform is accountable for figuring out whether or not a consumer is accessing the admin interface through an AJAX request. With out correct authorization checks, attackers with Subscriber-level entry or increased may bypass the restrictions and execute essential actions akin to refunds and subscription cancellations on Stripe-powered websites.
This vulnerability has been documented within the CIVN-2025-0001 Vulnerability Be aware, issued by CERT-In on January 1, 2025, indicating a Excessive severity ranking. Web sites that depend on WPForms for monetary transactions are significantly liable to unauthorized modifications to their information, probably inflicting important monetary losses and disruption of providers.
Technical Particulars of the WPForms Plugin Vulnerability (CVE-2024-11205)
The vulnerability exists in variations 1.8.4 via 1.9.2.1 of the WPForms plugin, the place the wpforms_is_admin_ajax perform lacks correct checks to make sure that the consumer requesting delicate actions is allowed to take action. This perform is meant to verify whether or not a request originates from an admin interface, however as a result of it doesn’t carry out functionality checks, attackers can exploit the flaw to set off ajax_single_payment_refund and ajax_single_payment_cancel features.
These features are used to course of Stripe funds, however within the weak variations of WPForms, they are often exploited by authenticated customers with as little as Subscriber-level entry. Whereas nonce safety exists to stop assaults akin to Cross-Website Request Forgery (CSRF), authenticated attackers can bypass this safety by acquiring the nonce. Which means that an attacker may probably:
- Provoke unauthorized refunds for official funds, leading to monetary hurt to companies.
- Cancel energetic subscriptions, disrupting providers and harming buyer relationships.
These unauthorized actions may result in a lack of income, important operational prices, and reputational injury, significantly for companies that depend on WPForms for managing funds and subscriptions.
Exploitation State of affairs
The vulnerability permits attackers with Subscriber-level entry or increased to use the ajax_single_payment_refund and ajax_single_payment_cancel features. Usually, these actions are restricted to directors, however the lacking functionality checks enable lower-level customers to provoke them.
As soon as an attacker positive aspects entry to those features, they’ll provoke unauthorized refunds for Stripe funds and cancel energetic subscriptions. This might end in:
- Unauthorized refunds may cause important income loss for companies.
- Assaults that cancel subscriptions can intervene with buyer providers, resulting in buyer dissatisfaction and churn.
- Unauthorized transactions can result in a lack of belief amongst clients and potential hurt to the enterprise’s fame.
Given WPForms’ widespread use, this flaw impacts hundreds of thousands of WordPress web sites, with companies of all sizes being weak to exploitation.
Remediation and Patch Particulars
WPForms rapidly addressed the problem by releasing a patched model of the plugin, model 1.9.2.2, on November 18, 2024. Customers who’re operating variations 1.8.4 via 1.9.2.1 are strongly suggested to replace to the newest model instantly to guard their web sites from exploitation.
Along with the patch, Wordfence, a number one safety service for WordPress, took swift motion to guard its customers. On November 15, 2024, Wordfence Premium, Care, and Response customers obtained a firewall rule to guard towards potential exploits concentrating on this vulnerability. Safety for customers of the free model of Wordfence was rolled out on December 15, 2024.
The influence of this CVE-2024-11205 vulnerability is extreme for companies that depend on WPForms to handle funds and subscriptions through Stripe. If exploited, the vulnerability may end in:
- Monetary injury from unauthorized refunds and subscription cancellations.
- Disruption of enterprise operations, significantly for e-commerce websites that depend on WPForms for processing funds.
- Lack of buyer belief, as attackers may intervene with providers and create doubts concerning the web site’s safety.
Conclusion
The CVE-2024-11205 vulnerability poses a threat to WPForms customers, permitting attackers with Subscriber-level entry or increased to provoke unauthorized cost refunds and cancel subscriptions. To mitigate this menace, it’s essential for customers to replace to the newest patched model, 1.9.2.2, which addresses the problem. The vulnerability’s potential influence on monetary transactions and enterprise operations makes it crucial for WordPress web site directors to prioritize this replace, significantly these utilizing WPForms for cost and subscription administration.
