Security flaw in top WordPress plugin could allow for Stripe refunds on millions of sites

LovabledanielsDecember 11, 202454 Views

Security researchers found a flaw in WPForms, a popular WordPress plugin for forms
The bug allows malicious actors to ask for Stripe refunds and cancel certain subscriptions
Developers were notified, and have issued a patch

WPForms, a popular WordPress plugin used for contact, feedback, and payment forms, was carrying a vulnerability that could have resulted in businesses having their services disrupted, customer trust eroded, and even losing money, experts have revealed.

Security researcher “vullu164” recently told Wordfence they found a vulnerability in WPForms versions 1.8.4 – 1.9.2, both free and paid versions. The bug allows users with low-level accounts to issue arbitrary Stripe refunds, or cancel different subscriptions.

It is now tracked as CVE-2024-11205, and was assigned a severity score of 8.5 (high). The score may even have been higher if not for the prerequisite of being a registered member on the site. However, since most sites these days allow account registration, exploiting the flaw could be quite easy, and available on numerous sites across the internet.

Releasing the patch

Wordfence then analyzed the flaw on its own, and after confirming the findings, reached out to WPForms’ developer Awesome Motive, who came back with a patch on November 18.

The earliest fixed version of WPForms is 1.9.2.2, and users are highly advised to patch up without delay, or disable the plugin until they do.

WPForms is installed on more than six million websites across the internet, with roughly half currently running an old and vulnerable version. Researchers have not yet found evidence of abuse in the wild, but given the popularity of the plugin, it’s only a matter of time before they do.

WordPress is the world’s most popular website builder platform. It powers roughly half of the world’s internet sites, and as such is a major target for cybercriminals. The platform itself, however, is considered safe, and threat actors are mostly focused on plugins and other addons (such as themes) for vulnerabilities and access points.

Paid plugins are usually considered safer, since they have a dedicated team that maintains the code. Free plugins, especially those run by a single enthusiast, or those with fewer users, are usually more susceptible to attacks.

Via BleepingComputer

Weekly update

More than 100 dead after flooding in eastern DR Congo, officials say | Floods News

Barcelona beat Real Madrid despite Mbappe hat-trick as LaLiga title nears | Football News

Merino scores then sees red as Arsenal come back to draw 2-2 at Liverpool | Football News

Weekly Newsletter

Security flaw in top WordPress plugin could allow for Stripe refunds on millions of sites

Leave a comment

Leave a Reply Cancel reply

Explore more

Barcelona beat Real Madrid despite Mbappe hat-trick as LaLiga title nears | Football News

Merino scores then sees red as Arsenal come back to draw 2-2 at Liverpool | Football News

Fragile truce holds between India, Pakistan after days of fierce exchanges | India-Pakistan Tensions News

Sudan’s army and RSF paramilitary launch attacks across war-ravaged nation | Sudan war News

Samsung’s next pair of affordable Galaxy earbuds could come with a battery boost

Microsoft Teams adds ‘Prevent Screen Capture’ meeting mode to secure sensitive data

How AI helps push Candy Crush players through its most difficult puzzles

iOS 19 tipped to bring big Wi-Fi convenience upgrade, as iOS 18.5 prepares to land in days

Get to Know Us

Let's keep in touch