A critical vulnerability has been discovered in WordPress plugin WPForms. The flaw allows authenticated attackers with subscriber-level privileges or higher to execute unauthorized refunds of Stripe payments and cancellations of Stripe subscriptions
Thr vulnerability tracked as CVE-2024-11205 with a CVSS score of 7.5, stems in the ajax_single_payment_refund() and ajax_single_payment_cancel() functions within the plugin’s SingleActionsHandler class. These functions manage Stripe payment actions and rely on the wpforms_is_admin_ajax() function to verify admin AJAX requests. However, this function does not enforce capability checks, creating a critical security gap.
It allows the authenticated attackers to retrieve the necessary details, enabling them to execute unauthorized actions. Without additional validation, these functions can be exploited to:
- Refund Stripe payments
- Cancel active Stripe subscriptions.
For businesses using WPForms to manage Stripe payments, this flaw could result in:
- Unauthorized refunds, leading to revenue loss.
- Disruption of subscription services, potentially damaging customer relationships.
- Increased administrative overhead to address and reverse unauthorized actions.
The vulnerability affects WPForms versions 1.8.4 through 1.9.2.1. Security researcher “villu164” identified and responsibly disclosed the vulnerability through the Wordfence Bug Bounty Program, receiving a bounty of $2,376.00. Wordfence promptly alerted the WPForms development team, who swiftly addressed the issue and released a patched version 1.9.2.2
