CERT-In Issues Alert on WPForms Vulnerability That Can Disrupt Payment and Subscription Services

CERT-In Issues Alert on WPForms Vulnerability That Can Disrupt Payment and Subscription Services

/in

Cyble | CVE-2024-11205

Overview 

The Indian Computer Emergency Response Team (CERT-In) has issued an alert regarding a critical security vulnerability in the WPForms plugin for WordPress. The flaw, identified as CVE-2024-11205, could allow attackers to bypass authorization controls and perform payment refunds and subscription cancellations on Stripe-powered websites.  

This WPForms plugin vulnerability, affecting WPForms versions 1.8.4 through 1.9.2.1, leaves WordPress sites vulnerable to exploitation by authenticated users with lower-level permissions. The vulnerability was disclosed publicly on December 9, 2024, by Wordfence researchers, and a patch was made available in WPForms version 1.9.2.2. 

The flaw stems from the absence of a capability check in the wpforms_is_admin_page function. This function is responsible for determining whether a user is accessing the admin interface via an AJAX request. Without proper authorization checks, attackers with Subscriber-level access or higher could bypass the restrictions and execute critical actions such as refunds and subscription cancellations on Stripe-powered sites. 

This vulnerability has been documented in the CIVN-2025-0001 Vulnerability Note, issued by CERT-In on January 1, 2025, indicating a High severity rating. Websites that rely on WPForms for financial transactions are particularly at risk of unauthorized modifications to their data, potentially causing significant financial losses and disruption of services.

Technical Details of the WPForms Plugin Vulnerability (CVE-2024-11205) 

The vulnerability exists in versions 1.8.4 through 1.9.2.1 of the WPForms plugin, where the wpforms_is_admin_ajax function lacks proper checks to ensure that the user requesting sensitive actions is authorized to do so. This function is intended to confirm whether a request originates from an admin interface, but because it does not perform capability checks, attackers can exploit the flaw to trigger ajax_single_payment_refund and ajax_single_payment_cancel functions.

These functions are used to process Stripe payments, but in the vulnerable versions of WPForms, they can be exploited by authenticated users with as little as Subscriber-level access. While nonce protection exists to prevent attacks such as Cross-Site Request Forgery (CSRF), authenticated attackers can bypass this protection by obtaining the nonce. This means that an attacker could potentially: 

  • Initiate unauthorized refunds for legitimate payments, resulting in financial harm to businesses. 

  • Cancel active subscriptions, disrupting services and harming customer relationships. 

These unauthorized actions could lead to a loss of revenue, significant operational costs, and reputational damage, particularly for businesses that rely on WPForms for managing payments and subscriptions. 

Exploitation Scenario 

The vulnerability allows attackers with Subscriber-level access or higher to exploit the ajax_single_payment_refund and ajax_single_payment_cancel functions. Normally, these actions are restricted to administrators, but the missing capability checks allow lower-level users to initiate them. 

Once an attacker gains access to these functions, they can initiate unauthorized refunds for Stripe payments and cancel active subscriptions. This could result in: 

  • Unauthorized refunds can cause significant revenue loss for businesses. 

  • Attacks that cancel subscriptions can interfere with customer services, leading to customer dissatisfaction and churn. 

  • Unauthorized transactions can lead to a loss of trust among customers and potential harm to the business’s reputation. 

Given WPForms’ widespread use, this flaw affects millions of WordPress websites, with businesses of all sizes being vulnerable to exploitation. 

Remediation and Patch Details 

WPForms quickly addressed the issue by releasing a patched version of the plugin, version 1.9.2.2, on November 18, 2024. Users who are running versions 1.8.4 through 1.9.2.1 are strongly advised to update to the latest version immediately to protect their websites from exploitation. 

In addition to the patch, Wordfence, a leading security service for WordPress, took swift action to protect its users. On November 15, 2024, Wordfence Premium, Care, and Response users received a firewall rule to protect against potential exploits targeting this vulnerability. Protection for users of the free version of Wordfence was rolled out on December 15, 2024. 

The impact of this CVE-2024-11205 vulnerability is severe for businesses that rely on WPForms to manage payments and subscriptions via Stripe. If exploited, the vulnerability could result in: 

  • Financial damage from unauthorized refunds and subscription cancellations. 

  • Disruption of business operations, particularly for e-commerce sites that rely on WPForms for processing payments. 

  • Loss of customer trust, as attackers could interfere with services and create doubts about the site’s security. 

Conclusion 

The CVE-2024-11205 vulnerability poses a risk to WPForms users, allowing attackers with Subscriber-level access or higher to initiate unauthorized payment refunds and cancel subscriptions. To mitigate this threat, it is crucial for users to update to the latest patched version, 1.9.2.2, which addresses the issue. The vulnerability’s potential impact on financial transactions and business operations makes it imperative for WordPress site administrators to prioritize this update, particularly those using WPForms for payment and subscription management. 

References:  

The post CERT-In Issues Alert on WPForms Vulnerability That Can Disrupt Payment and Subscription Services appeared first on Cyble.

Blog – Cyble – ​Read More