CVE-2024-11205

Name of the Vulnerable Software and Affected Versions WPForms versions 1.8.4 through 1.9.2.1

Description The issue is related to a missing capability check in the wpforms is admin page function, which allows authenticated attackers with Subscriber-level access and above to refund payments and cancel subscriptions. This affects WPForms plugin for WordPress, potentially impacting over 6 million websites. The vulnerability can be exploited by authenticated users to perform unauthorized Stripe refunds and subscription cancellations.

Recommendations For WPForms versions 1.8.4 through 1.9.2.1, update to version 1.9.2.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the wpforms is admin page function to prevent unauthorized modifications. Additionally, restrict access to the Stripe payment system to minimize the risk of exploitation.