Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Security flaw in top WordPress plugin could allow for Stripe refunds on millions of sites

WordPress.

  • Security researchers found a flaw in WPForms, a popular WordPress plugin for forms
  • The bug allows malicious actors to ask for Stripe refunds and cancel certain subscriptions
  • Developers were notified, and have issued a patch

WPForms, a popular WordPress plugin used for contact, feedback, and payment forms, was carrying a vulnerability that could have resulted in businesses having their services disrupted, customer trust eroded, and even losing money, experts have revealed.

Security researcher “vullu164” recently told Wordfence they found a vulnerability in WPForms versions 1.8.4 - 1.9.2, both free and paid versions. The bug allows users with low-level accounts to issue arbitrary Stripe refunds, or cancel different subscriptions.

It is now tracked as CVE-2024-11205, and was assigned a severity score of 8.5 (high). The score may even have been higher if not for the prerequisite of being a registered member on the site. However, since most sites these days allow account registration, exploiting the flaw could be quite easy, and available on numerous sites across the internet.

Releasing the patch

Wordfence then analyzed the flaw on its own, and after confirming the findings, reached out to WPForms’ developer Awesome Motive, who came back with a patch on November 18.

The earliest fixed version of WPForms is 1.9.2.2, and users are highly advised to patch up without delay, or disable the plugin until they do.

WPForms is installed on more than six million websites across the internet, with roughly half currently running an old and vulnerable version. Researchers have not yet found evidence of abuse in the wild, but given the popularity of the plugin, it’s only a matter of time before they do.

WordPress is the world’s most popular website builder platform. It powers roughly half of the world’s internet sites, and as such is a major target for cybercriminals. The platform itself, however, is considered safe, and threat actors are mostly focused on plugins and other addons (such as themes) for vulnerabilities and access points.

Paid plugins are usually considered safer, since they have a dedicated team that maintains the code. Free plugins, especially those run by a single enthusiast, or those with fewer users, are usually more susceptible to attacks.

Via BleepingComputer

You might also like

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.