A critical security vulnerability, identified as CVE-2024-11205, has been discovered in the WPForms plugin for WordPress. This plugin, used by over 6 million websites, failed to implement adequate authorization checks, allowing authenticated attackers with subscriber-level access or higher to refund Stripe payments and cancel Stripe subscriptions.
| Product | wpforms-lite |
| Date | 2024-12-12 07:32:55 |
| Information |
|
Technical Summary
The vulnerability stems from inadequate authorization checks in the ajax_single_payment_refund() and ajax_single_payment_cancel() functions within the SingleActionsHandler class. These functions handle Stripe payment refunds and Stripe subscription cancellations, but they do not correctly enforce user capability checks. Furthermore, although nonce protection is implemented, the nonce value can be obtained by authenticated attackers.
The main issues include:
Inadequate Checks: The
wpforms_is_admin_ajax()function confirms administrative AJAX requests but does not perform any authorization checks.Nonce Leakage: The nonce protection can be bypassed by attackers who obtain the necessary value.
Lack of Capability Verification: There is no verification that the user has the appropriate privileges to perform these operations.
Recommendations
Update Immediately: Ensure that WPForms is updated to version 1.9.2.2 or higher.
Check Logs: Review payment and subscription activity for unauthorized actions.
[Callforaction-THREAT-Footer]
