WPForms bug allows Stripe refunds on millions of WordPress sites

A vulnerability in WPForms, a WordPress plugin used in over 6 million websites, could allow subscriber-level users to issue arbitrary Stripe refunds or cancel subscriptions.

Tracked under CVE-2024-11205, the flaw was categorized as a high-severity problem due to the authentication prerequisite. However, given that membership systems are available on most sites, exploitation may be fairly easy in most cases.

The issue impacts WPForms from version 1.8.4 and up to 1.9.2.1, with a patch pushed in version 1.9.2.2, released last month.

WPForms is an easy-to-use drag-and-drop WordPress form builder for creating contact, feedback, subscription, and payment forms, offering support for Stripe, PayPal, Square, and others.

The plugin is available in both a premium (WPForms Pro) version and a free (WPForms Lite) edition. The latter is active on over six million WordPress sites.

The vulnerability stems from improperly using the function 'wpforms_is_admin_ajax()' to determine if a request is an admin AJAX call.

While this function checks if the request originates from an admin path, it does not enforce capability checks to restrict access based on the user's role or permissions.

This allows any authenticated user, even subscribers, to invoke sensitive AJAX functions like 'ajax_single_payment_refund(),' which executes Stripe refunds, and 'ajax_single_payment_cancel(),' which cancels subscriptions.

The consequences of CVE-2024-11205 exploitation could be severe for website owners, leading to loss of revenue, business disruption, and trust issues with their customer base.

Fix available

The flaw was discovered by security researcher 'vullu164,' who reported it to Wordfence's bug bounty program for a payout of $2,376 on November 8, 2024.

Wordfence subsequently validated the report and confirmed the provided exploit, sending the full details to the vendor, Awesome Motive, on November 14.

By November 18, Awesome Motive released the fixed version 1.9.2.2, adding proper capability checks and authorization mechanisms in the affected AJAX functions.

According to wordpress.org stats, roughly half of all sites using WPForms aren't even on the latest release branch (1.9.x), so the number of vulnerable websites is at least 3 million.

Wordfence has not detected active exploitation of CVE-2024-11205 in the wild yet, but upgrading to version 1.9.2.2 as soon as possible or disabling the plugin from your site is recommended.