Website Security Insights

WPForms WordPress Vulnerability – CVE-2024-11205

David Pottrell

David Pottrell

Hi! I’m a web developer and Head of Digital at Nebula Design who loves all things tech. When I’m not surrounded by code, I’m probably reading up on the latest development trends or on the pottery wheel.

I got my start in technology as a self-taught web freelancer, after studying at university and joining a small agency, Nebula Design was created. I specialise in both front-end and back-end development, typically around WordPress, I’ve also got expertise in Search Engine Optimisation, Ecommerce and various emerging tech standards.

Published on December 11th, 2024

Overview

The vulnerability, identified as CVE-2024-11205, affecting the plugin WPForms, a WordPress plugin with more than 6,000,000 active installations, was uncovered by security researcher villu164, who reported it to Wordfence on October 23, 2024 via their Bug Bounty Program. This vulnerability makes it possible for an authenticated attacker, with subscriber-level access and above, to refund Stripe payments and cancel Stripe subscriptions.

Affected Plugin: WP Forms 1.8.4 through 1.9.2.1

WPForms is a popular WordPress plugin that facilitates the creation of various forms for payments, surveys, subscriptions, and more via an intuitive drag-and-drop interface. However, a significant vulnerability in its code exposed six million websites to potential exploitation. This flaw originated in the plugin’s ajax_single_payment_refund() and ajax_single_payment_cancel() functions, which handle crucial payment processes for Stripe transactions.

Preventive Measures

To protect your WordPress website from similar vulnerabilities in the future, consider the following best practices:

  • Regularly update all plugins, themes, and WordPress core files. Vulnerabilities are often discovered and patched in subsequent updates.
  • Implement privilege access by ensuring that only authorised users have access to sensitive site functionality like file management.
  • Use two-factor authentication (2FA) for logging in to the WordPress admin area.
  • Consider using manual file management through secure FTP instead of relying on file management plugins with web-based access.

The WordFence Timeline

November 8, 2024 – We received the submission for the Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation vulnerability in WPForms via the Wordfence Bug Bounty Program.
November 14, 2024 – We validated the report and confirmed the proof-of-concept exploit.
November 14, 2024 – We sent over the full disclosure details to the vendor. The vendor acknowledged the report and began working on a fix.
November 15, 2024 – Wordfence PremiumCare, and Response users received a firewall rule to provide protection against any exploits that may target this vulnerability.
November 18, 2024 – The fully patched version of the plugin, 1.9.2.2, was released.
December 15, 2024 – Wordfence Free users will receive the same protection.

Conclusion

The WPForms vulnerability affecting versions 1.8.4 through 1.9.2.1 allows authenticated threat actors with subscriber-level permissions or higher to refund Stripe payments and cancel Stripe subscriptions. The vulnerability has been addressed in version 1.9.2.2 of the plugin.

For more information on WordPress security and steps to protect your site, feel free to reach out on our contact page or feel free to book a discovery call