CVE-2024-11205
WPForms 1.8.4 - 1.9.2.1 - Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation
In short
The WPForms WordPress plugin allows users with basic subscriber accounts to refund payments and cancel subscriptions without proper permission checks. This means attackers with low-level access can manipulate financial transactions they shouldn't be able to touch.
Technical detail
A missing capability check in the 'wpforms_is_admin_page' function allows authenticated attackers with Subscriber-level privileges or higher to perform unauthorized payment refunds and subscription cancellations through direct function calls. The vulnerability affects versions 1.8.4 through 1.9.2.1 and requires only valid WordPress authentication to exploit.
Summary generated and translated by AI from the official description.
The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
Affected products
smub · WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & MoreWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.9.2.1/includes/functions/checks.php#L191https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.9.2.1/src/Integrations/Stripe/Admin/Payments/SingleActionsHandler.php#L148https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.9.2.1/src/Integrations/Stripe/Admin/Payments/SingleActionsHandler.php#L92https://plugins.trac.wordpress.org/changeset/3191229/wpforms-lite#file2128https://www.wordfence.com/threat-intel/vulnerabilities/id/66898509-a93c-4dc3-bf01-1743daaa0ff1?source=cve