Security flaw in top WordPress plugin could allow for Stripe refunds on millions of sites

(Image credit: Pixabay)

Security researchers found a flaw in WPForms, a popular WordPress plugin for forms
The bug allows malicious actors to ask for Stripe refunds and cancel certain subscriptions
Developers were notified, and have issued a patch

WPForms, a popular WordPress plugin used for contact, feedback, and payment forms, was carrying a vulnerability that could have resulted in businesses having their services disrupted, customer trust eroded, and even losing money, experts have revealed.

Security researcher “vullu164” recently told Wordfence they found a vulnerability in WPForms versions 1.8.4 - 1.9.2, both free and paid versions. The bug allows users with low-level accounts to issue arbitrary Stripe refunds, or cancel different subscriptions.

It is now tracked as CVE-2024-11205, and was assigned a severity score of 8.5 (high). The score may even have been higher if not for the prerequisite of being a registered member on the site. However, since most sites these days allow account registration, exploiting the flaw could be quite easy, and available on numerous sites across the internet.

Releasing the patch

Wordfence then analyzed the flaw on its own, and after confirming the findings, reached out to WPForms’ developer Awesome Motive, who came back with a patch on November 18.

The earliest fixed version of WPForms is 1.9.2.2, and users are highly advised to patch up without delay, or disable the plugin until they do.

WPForms is installed on more than six million websites across the internet, with roughly half currently running an old and vulnerable version. Researchers have not yet found evidence of abuse in the wild, but given the popularity of the plugin, it’s only a matter of time before they do.

WordPress is the world’s most popular website builder platform. It powers roughly half of the world’s internet sites, and as such is a major target for cybercriminals. The platform itself, however, is considered safe, and threat actors are mostly focused on plugins and other addons (such as themes) for vulnerabilities and access points.

Paid plugins are usually considered safer, since they have a dedicated team that maintains the code. Free plugins, especially those run by a single enthusiast, or those with fewer users, are usually more susceptible to attacks.

Via BleepingComputer

Critical Ivanti Cloud Service Appliance flaw exploited in the wild
Here's a list of the best antivirus
These are the best endpoint protection tools right now

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.