CVE-2024-11205: WPForms Plugin Vulnerability Impacts 6 Million WordPress Sites
A critical vulnerability (CVE-2024-11205) discovered in WPForms, a prevalent WordPress form builder plugin with over 6 million active installations, exposed websites to significant financial risk. The vulnerability, assigned a CVSS v3.1 base score of 8.5, allowed authenticated attackers with subscriber-level privileges or higher to execute unauthorized refunds of Stripe payments and cancellations of Stripe subscriptions.
WPForms is a widely-used form builder plugin, enabling WordPress site owners to create contact forms, feedback forms, subscription forms, and payment forms with a drag-and-drop interface.
The issue lies in the ajax_single_payment_refund() and ajax_single_payment_cancel() functions within the plugin’s SingleActionsHandler class. These functions manage Stripe payment actions and rely on the wpforms_is_admin_ajax() function to verify admin AJAX requests. However, this function does not enforce capability checks, creating a critical security gap.
Despite being nonce-protected, the vulnerability allows authenticated attackers to retrieve the necessary nonce, enabling them to execute the unauthorized actions. Without additional validation, these functions can be exploited to:
- Refund Stripe payments.
- Cancel active Stripe subscriptions.
This opens the door to potential revenue loss and operational disruptions for businesses relying on WPForms for subscription and payment management.
For businesses using WPForms to manage Stripe payments, this flaw could result in:
- Unauthorized refunds, leading to revenue loss.
- Disruption of subscription services, potentially damaging customer relationships.
- Increased administrative overhead to address and reverse unauthorized actions.
The CVE-2024-11205 vulnerability affects WPForms versions 1.8.4 through 1.9.2.1. Security researcher “villu164” identified and responsibly disclosed the vulnerability through the Wordfence Bug Bounty Program, receiving a bounty of $2,376.00. Wordfence promptly alerted the WPForms development team, who swiftly addressed the issue and released a patched version, 1.9.2.2.
