A critical vulnerability, identified as CVE-2024-11205, was discovered in the WPForms plugin, a popular WordPress form builder used by over 6 million active websites. This vulnerability, which has been assigned a high CVSS score of 8.5, targets businesses relying on WPForms for payment processing and subscription management, especially those using Stripe integration.
The flaw allows authenticated attackers to exploit the vulnerability to execute unauthorized refunds and cancellations of Stripe subscriptions, potentially leading to financial loss and operational disruptions.
Understanding the WPForms Plugin Vulnerability (CVE-2024-11205)
WPForms is one of the most widely used WordPress plugins for creating various types of forms, including contact, feedback, and payment forms. The plugin is particularly popular for its intuitive drag-and-drop interface, which makes it easy for users to design and manage forms.
The vulnerability in WPForms stems from a flaw in the plugin’s core functionality, specifically within the SingleActionsHandler class, which manages Stripe payment actions. The vulnerable functions, ajax_single_payment_refund() and ajax_single_payment_cancel(), allow attackers with subscriber-level or higher privileges to execute actions that would typically be restricted to administrators.
These functions rely on the wpforms_is_admin_ajax() function to verify whether an AJAX request is coming from an admin interface. However, the problem arises because this function lacks proper capability checks, making it susceptible to exploitation. Although these functions are nonce-protected, authenticated attackers can still bypass these protections by obtaining the nonce and leveraging the vulnerability to perform unauthorized actions.
The Impact of the WPForms Vulnerability
The impact of this WPForms vulnerability is severe, particularly for businesses that use WPForms to manage Stripe payments. Attackers who gain access to an account with at least subscriber-level privileges can refund Stripe payments or cancel active Stripe subscriptions. This can lead to:
- Attackers can initiate unauthorized refunds for legitimate payments, potentially causing financial harm to businesses.
- By canceling active subscriptions, attackers can interfere with ongoing services, damaging customer relationships.
- Once unauthorized refunds or cancellations occur, businesses must invest time and resources to undo the damage, adding to operational costs.
The vulnerability was present in WPForms versions 1.8.4 through 1.9.2.1, which makes a substantial number of websites vulnerable. Given the plugin’s widespread use, the flaw affects millions of WordPress sites that rely on WPForms to handle their payment and subscription services.
Technical Details of CVE-2024-11205
The vulnerability is rooted in the absence of capability checks for the wpforms_is_admin_ajax() function. This function is used to verify whether an AJAX request is coming from the WordPress admin interface. However, it does not perform the necessary authorization checks, leaving the function exposed to abuse by attackers with lower-level privileges.
Here’s a breakdown of the issue:
- Affected Functions: ajax_single_payment_refund() and ajax_single_payment_cancel() handle the Stripe payment actions, such as refunds and subscription cancellations. These actions are normally restricted to administrators.
- Lack of Authorization Checks: The wpforms_is_admin_ajax() function does not perform proper authorization checks. Attackers with subscriber-level access can exploit this flaw to invoke the AJAX actions and execute unauthorized payment actions.
- Nonce Protection: While the vulnerable functions are protected by nonce verification, attackers can bypass this by retrieving the nonce, making it possible for them to trigger the refund or subscription cancellation actions.
Mitigation and Updates
To mitigate the risks associated with CVE-2024-11205, users are strongly urged to update their WPForms plugin to the latest version, 1.9.2.2. The patched version addresses the missing authorization checks and ensures that only authorized users can trigger payment and subscription actions within the plugin.
- Ensure that your WordPress site is running the latest version of WPForms (1.9.2.2 or newer).
- Consider reviewing user roles and permissions within your WordPress site to ensure that only trusted individuals have subscriber-level access or higher.
- Keep an eye on any unauthorized refunds or cancellations that might occur until the patch has been applied.
Response to the WPForms Vulnerability
The CVE-2024-11205 vulnerability in the WPForms plugin highlights the critical importance of addressing security flaws in widely-used WordPress plugins. With over 6 million active installations, this vulnerability had the potential to cause financial loss and disrupt business operations. Wordfence’s response, in collaboration with the WPForms development team, ensured timely protection for its users, including both premium and free users, through effective security measures.
