A critical vulnerability discovered in the WPForm plugins (CVE-2024-11205) which allows authenticated attackers to execute unauthorized refunds and cancellations of Stripe subscriptions.
CVSS Score: 8.5/High
Description: WPForms is a widely used form builder plugin, enabling WordPress site owners to create contact forms, feedback forms, subscription forms, and payment forms with a drag-and-drop interface. The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.
Affected Versions:
WPForms versions 1.8.4 – 1.9.2.1.
Impact:
This vulnerability if exploited could lead to unauthorized modification of data.
Resolution:
To update the WPForms plugin to the latest version.
