A critical vulnerability, known as CVE-2024-11205, has been unearthed in the widely used WPForms plugin, a popular WordPress form builder utilized by more than 6 million active websites. This vulnerability, carrying a high CVSS score of 8.5, primarily targets businesses that rely on WPForms for payment processing and subscription management, particularly those integrating with Stripe.
The vulnerability enables authenticated attackers to exploit the flaw to carry out unauthorized refunds and cancellations of Stripe subscriptions, potentially resulting in financial losses and operational disruptions.
WPForms is renowned for its versatility in creating various forms such as contact forms, feedback forms, and payment forms on WordPress websites. The plugin stands out for its user-friendly drag-and-drop interface, making it effortless for users to design and manage forms.
The vulnerability within WPForms originates from a flaw in the plugin’s core functionality, specifically within the SingleActionsHandler class, which oversees Stripe payment actions. The vulnerable functions, ajax_single_payment_refund() and ajax_single_payment_cancel(), permit attackers with subscriber-level or higher privileges to execute actions that are typically restricted to administrators.
These functions rely on the wpforms_is_admin_ajax() function to ascertain whether an AJAX request is originating from an admin interface. However, the absence of proper capability checks in this function makes it susceptible to exploitation. Despite being nonce-protected, authenticated attackers can circumvent these protections by acquiring the nonce and leveraging the vulnerability to conduct unauthorized actions.
The repercussions of this WPForms vulnerability are significant, especially for businesses using WPForms for Stripe payments. Attackers gaining access to an account with subscriber-level privileges can trigger Stripe payment refunds or cancel active Stripe subscriptions, leading to:
– Unauthorized refunds for legitimate payments, potentially causing financial harm to businesses.
– Disruption of ongoing services by canceling active subscriptions, tarnishing customer relationships.
– Increased operational costs as businesses would need to invest resources to rectify the damage caused by unauthorized actions.
The vulnerable versions of WPForms span from 1.8.4 through 1.9.2.1, leaving a substantial number of websites vulnerable. Given the widespread adoption of the plugin, the flaw impacts millions of WordPress sites relying on WPForms for payment and subscription services.
Technically, the vulnerability arises from the absence of capability checks in the wpforms_is_admin_ajax() function, leading to potential abuse by attackers with lower-level privileges. The affected functions, ajax_single_payment_refund() and ajax_single_payment_cancel(), oversee Stripe payment actions and lack proper authorization checks, enabling attackers to exploit the flaw and execute unauthorized payment actions after retrieving the nonce.
To address the risks associated with CVE-2024-11205, users are strongly advised to update their WPForms plugin to the latest version, 1.9.2.2. This patched version rectifies the authorization checks, ensuring that only authorized users can initiate payment and subscription actions within the plugin.
Furthermore, users should stay vigilant for any unauthorized refunds or cancellations until the patch is applied, and review user roles and permissions within their WordPress site to restrict subscriber-level access to trusted individuals.
The response to the WPForms vulnerability underscores the critical need to address security flaws in widely-used WordPress plugins. With over 6 million active installations, this vulnerability posed a significant threat to financial stability and business continuity. Collaborative efforts between Wordfence and the WPForms development team resulted in effective security measures being implemented promptly to safeguard users from potential exploits.