Vulnerability in WPForms: Missing Authorization for Stripe Payment Refunds and Subscription Cancellations

ISGroup Cybersecurity

A critical security vulnerability, identified as CVE-2024-11205, has been discovered in the WPForms plugin for WordPress. This plugin, used by over 6 million websites, failed to implement adequate authorization checks, allowing authenticated attackers with subscriber-level access or higher to refund Stripe payments and cancel Stripe subscriptions.

Productwpforms-lite
Date2024-12-12 07:32:55
Information
  • Trending
  • Fix Available

Technical Summary

The vulnerability stems from inadequate authorization checks in the ajax_single_payment_refund() and ajax_single_payment_cancel() functions within the SingleActionsHandler class. These functions handle Stripe payment refunds and Stripe subscription cancellations, but they do not correctly enforce user capability checks. Furthermore, although nonce protection is implemented, the nonce value can be obtained by authenticated attackers.

The main issues include:

  • Inadequate Checks: The wpforms_is_admin_ajax() function confirms administrative AJAX requests but does not perform any authorization checks.

  • Nonce Leakage: The nonce protection can be bypassed by attackers who obtain the necessary value.

  • Lack of Capability Verification: There is no verification that the user has the appropriate privileges to perform these operations.

Recommendations

Update Immediately: Ensure that WPForms is updated to version 1.9.2.2 or higher.
Check Logs: Review payment and subscription activity for unauthorized actions.

[Callforaction-THREAT-Footer]