WPForms Security Flaw: Millions of Sites at Risk for Stripe Refund Mishaps!

WPForms vulnerability CVE-2024-11205 lets subscriber-level users issue Stripe refunds or cancel subscriptions. Affecting versions 1.8.4 to 1.9.2.1, a patch is available in 1.9.2.2. With 3 million sites potentially at risk, upgrading is advisable. Remember, it’s not just the forms that need to be filled—patches do too!

3P
Published: December 10, 2024 8:05 pmAdded: December 10, 2024 at 12:26 pmAssembled by: The Editor
Pro Dashboard

Hot Take:

Well, folks, it seems that WPForms has turned into a master class on how to turn your subscribers into refund enthusiasts! It’s like giving a toddler the keys to your candy store and hoping they don’t discover the chocolate aisle. This bug was basically a VIP backstage pass to a refund rock concert for anyone with a subscriber account. Upgrade now, or risk your Stripe account singing the blues!

Key Points:

  • Vulnerability in WPForms could let subscriber-level users issue arbitrary Stripe refunds or cancel subscriptions.
  • Identified as CVE-2024-11205, the flaw affects versions 1.8.4 to 1.9.2.1, with a fix in 1.9.2.2.
  • The flaw originates from improper usage of ‘wpforms_is_admin_ajax()’ without capability checks.
  • Around 3 million sites might be vulnerable as they are not on the latest release branch.
  • No active exploitation detected yet, but upgrading or disabling the plugin is advised.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?