Critical WPForms Flaw Exposes 6M Sites to Unauthorized Stripe Refunds

A high-severity vulnerability in WPForms, a popular WordPress plugin installed on over 6 million websites, allows subscriber-level users to issue unauthorized Stripe refunds and subscription cancellations. This flaw tracked as CVE-2024–11205, has been addressed in version 1.9.2.2 of the plugin, but many sites remain exposed.

If you’re a website owner or administrator, updating your WPForms plugin immediately should be a top priority.

The bug exists due to insufficient access control when using the function wpforms_is_admin_ajax(), which verifies if a request is an admin AJAX call. However, the function failed to check user capabilities, allowing any authenticated user, including subscribers, to trigger sensitive AJAX functions like:

🛑 ajax_single_payment_refund() — Issues Stripe refunds🛑 ajax_single_payment_cancel() — Cancels Stripe subscriptions

This flaw affects WPForms versions 1.8.4 to 1.9.2.1, with the issue resolved in 1.9.2.2.

If exploited, this bug can have serious consequences for website owners and businesses, including:

💸 Loss of revenue from unauthorized refunds⛔ Disruption to business operations🤝 Damage to customer trust

With millions of sites still running older WPForms versions, it’s crucial to act fast to protect your site’s financial integrity.

The flaw was uncovered by security researcher ‘vullu164’, who reported it to Wordfence’s bug bounty program. Here’s a quick timeline:

November 8, 2024 — Vulnerability reported to Wordfence, researcher awarded $2,376November 14, 2024 — Full details shared with plugin vendor Awesome MotiveNovember 18, 2024 — WPForms version 1.9.2.2 released with a patch

Despite the quick response, approximately 3 million WordPress sites are still vulnerable because they haven’t updated to the latest version.

Update WPForms: Ensure you’re running version 1.9.2.2 or higher.Disable WPForms: If an immediate update isn’t possible, consider disabling the plugin until you can update.Check User Roles: Review and limit the roles and permissions granted to site users.

Although Wordfence has not seen active exploitation of this vulnerability, it’s only a matter of time before threat actors attempt to capitalize on it. Proactive updates and role management can prevent future headaches.

WPForms is a user-friendly, drag-and-drop WordPress form builder that enables website owners to create forms for:

📩 Contact forms📝 Feedback forms🔔 Subscription forms💳 Payment forms (with support for Stripe, PayPal, and Square)

The plugin’s simplicity and powerful integrations make it a must-have tool for many site owners, but it’s critical to keep it updated to avoid security risks.

Update WPForms 1.9.2.2 now to avoid potential exploits.Ensure all plugins and WordPress core files are kept up-to-date.Monitor your payment system for unusual refund or cancellation activity.

Don’t wait for attackers to exploit this vulnerability. Act now to protect your business, revenue, and customer trust!

👉 Follow Wire Tor for more cybersecurity insights and updates! 🛡️

📢 Stay ahead of the hackers — Reach Before Breach! 🚀