A vital safety vulnerability, tracked as CVE-2024-11205, was just lately found within the standard WordPress plugin, WPForms, which boasts over 6 million energetic installations globally.
This flaw, recognized by researcher villu164 by means of the Wordfence Bug Bounty Program, permits authenticated customers with not less than subscriber-level permissions to difficulty unauthorized refunds for Stripe funds and cancel Stripe subscriptions.
The vulnerability, categorized beneath “Lacking Authorization to Cost Refund and Subscription Cancellation,” impacts WPForms plugin variations 1.8.4 by means of 1.9.2.1.
Given its excessive severity with a CVSS rating of 8.5, this flaw may result in monetary losses for companies counting on WPForms to handle funds and subscriptions.
Leveraging 2024 MITRE ATT&CK Outcomes for SME & MSP Cybersecurity Leaders – Attend Free Webinar
Technical Particulars
WPForms is extensively used to create varieties, together with cost and subscription varieties, using a drag-and-drop builder.
The vulnerability lies within the insufficient authorization checks throughout the plugin’s Stripe cost refund and subscription cancellation processes.
Key capabilities in query are:
- ajax_single_payment_refund()
- ajax_single_payment_cancel()
Whereas a nonce protects these capabilities, they lack correct functionality checks. Consequently, authenticated customers with decrease permissions (equivalent to subscribers) can exploit this vulnerability.
Under is a snippet from the plugin’s susceptible code:
public operate ajax_single_payment_refund() {
if ( ! isset( $_POST['payment_id'] ) ) {
wp_send_json_error( [ 'message' => esc_html__( 'Missing payment ID.', 'wpforms-lite' ) ] );
}
$this->check_payment_collection_type();
check_ajax_referer( 'wpforms-admin', 'nonce' );
$payment_id = (int) $_POST['payment_id'];
$payment_db = wpforms()->obj( 'cost' )->get( $payment_id );
if ( empty( $payment_db ) ) {
wp_send_json_error( [ 'message' => esc_html__( 'Payment not found in the database.', 'wpforms-lite' ) ] );
}
$args = [
'metadata' => [ 'refunded_by' => 'wpforms_dashboard', ],
'cause' => 'requested_by_customer',
];
$refund = $this->payment_intents->refund_payment( $payment_db->transaction_id, $args );
}The above code highlights how attackers can misuse the AJAX operate with out ample functionality checks. Comparable points exist within the ajax_single_payment_cancel() operate, enabling subscription cancellation.
Customers of affected WPForms plugin variations (1.8.4 to 1.9.2.1) are urged to replace to model 1.9.2.2 to mitigate this vital vulnerability instantly.
Wordfence Premium, Care, and Response customers gained early safety on November 15, 2024, whereas free customers will obtain it on December 15, 2024.
Examine Actual-World Malicious Hyperlinks,Malware & Phishing Assaults With ANY.RUN - Strive for Free