CVE-2024-11205
📋 TL;DR
This vulnerability in the WPForms WordPress plugin allows authenticated users with Subscriber-level access or higher to refund payments and cancel subscriptions without proper authorization. It affects WordPress sites using WPForms versions 1.8.4 through 1.9.2.1. Attackers can exploit this to cause financial loss and disrupt subscription services.
💻 Affected Systems
- WPForms WordPress Plugin
📦 What is this software?
Wpforms by Wpforms
⚠️ Risk & Real-World Impact
Worst Case
Attackers could systematically refund all payments and cancel all subscriptions, causing significant financial loss, service disruption, and reputational damage to the business.
Likely Case
Attackers with subscriber accounts could refund recent payments and cancel active subscriptions, leading to revenue loss and customer service issues.
If Mitigated
With proper access controls and monitoring, impact would be limited to isolated incidents that could be quickly detected and reversed.
🎯 Exploit Status
Exploitation requires authenticated access but only at Subscriber level, which is the lowest WordPress user role. The vulnerability is in a specific function that lacks proper capability checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.9.2.2
Vendor Advisory: https://wordpress.org/plugins/wpforms-lite/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find WPForms and click 'Update Now'. 4. Verify update to version 1.9.2.2 or later.
🔧 Temporary Workarounds
Temporarily disable WPForms
allDisable the WPForms plugin until patching is possible
wp plugin deactivate wpforms-lite
Restrict user registration
allTemporarily disable new user registration to prevent attacker account creation
Update WordPress Settings → General → Membership to uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement strict access controls and review all user accounts with Subscriber or higher privileges
- Enable detailed logging of payment and subscription actions and monitor for unauthorized refund/cancel activities
🔍 How to Verify
Check if Vulnerable:
Check WPForms plugin version in WordPress admin panel under Plugins → Installed Plugins. If version is between 1.8.4 and 1.9.2.1 inclusive, the system is vulnerable.Check Version:
wp plugin get wpforms-lite --field=versionVerify Fix Applied:
After updating, verify WPForms version shows 1.9.2.2 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unexpected refund or subscription cancellation events in Stripe/WPForms logs
- Payment status changes initiated by non-admin users
- Multiple refund requests from single user accounts
Network Indicators:
- HTTP POST requests to wp-admin/admin-ajax.php with 'action' parameter containing 'wpforms_stripe' or payment-related actions from non-admin users
SIEM Query:
source="wordpress.log" AND ("refund" OR "cancel" OR "wpforms_stripe") AND user_role!="administrator"🔗 References
- https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.9.2.1/includes/functions/checks.php#L191
- https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.9.2.1/src/Integrations/Stripe/Admin/Payments/SingleActionsHandler.php#L148
- https://plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.9.2.1/src/Integrations/Stripe/Admin/Payments/SingleActionsHandler.php#L92
- https://plugins.trac.wordpress.org/changeset/3191229/wpforms-lite#file2128
- https://www.wordfence.com/threat-intel/vulnerabilities/id/66898509-a93c-4dc3-bf01-1743daaa0ff1?source=cve
