Security flaw in top WordPress plugin could allow for Stripe refunds on millions of sites

11 December 2024, 20:09 published

[ad_1]

Security researchers found a flaw in WPForms, a popular WordPress plugin for forms
The bug allows malicious actors to ask for Stripe refunds and cancel certain subscriptions
Developers were notified, and have issued a patch

WPForms, a popular WordPress plugin used for contact, feedback, and payment forms, was carrying a vulnerability that could have resulted in businesses having their services disrupted, customer trust eroded, and even losing money, experts have revealed.

Security researcher “vullu164” recently told Wordfence they found a vulnerability in WPForms versions 1.8.4 – 1.9.2, both free and paid versions. The bug allows users with low-level accounts to issue arbitrary Stripe refunds, or cancel different subscriptions.

It is now tracked as CVE-2024-11205, and was assigned a severity score of 8.5 (high). The score may even have been higher if not for the prerequisite of being a registered member on the site. However, since most sites these days allow account registration, exploiting the flaw could be quite easy, and available on numerous sites across the internet.

Releasing the patch

Wordfence then analyzed the flaw on its own, and after confirming the findings, reached out to WPForms’ developer Awesome Motive, who came back with a patch on November 18.

The earliest fixed version of WPForms is 1.9.2.2, and users are highly advised to patch up without delay, or disable the plugin until they do.

WPForms is installed on more than six million websites across the internet, with roughly half currently running an old and vulnerable version. Researchers have not yet found evidence of abuse in the wild, but given the popularity of the plugin, it’s only a matter of time before they do.

WordPress is the world’s most popular website builder platform. It powers roughly half of the world’s internet sites, and as such is a major target for cybercriminals. The platform itself, however, is considered safe, and threat actors are mostly focused on plugins and other addons (such as themes) for vulnerabilities and access points.

Paid plugins are usually considered safer, since they have a dedicated team that maintains the code. Free plugins, especially those run by a single enthusiast, or those with fewer users, are usually more susceptible to attacks.

Via BleepingComputer

[ad_2]

Source link

Joy

Cong.

Loved

Surprised

Unliked

Mad

Security flaw in top WordPress plugin could allow for Stripe refunds on millions of sites

Comment

Security flaw in top WordPress plugin could allow for Stripe refunds on millions of sites

Write a Reply Cancel

You may be interested

The Galaxy S25 could have genuinely useful AI features that trump Apple Intelligence – including these 5 tricks

I’ve been waiting years for ChatGPT’s new Tasks feature – here’s how I’m planning to use it to organize my life

Wrexham’s new stadium plans get even BIGGER after Ryan Reynolds revealed vision for 55,000-seater ground

150TB SSD modules to go mainstream in 2025, and Micron is getting a slice of that pie

Nvidia abandons the problematic 12VHPWR RTX 4080 power connector with a much longer one for the RTX 5080 FE according to leaked images

Transfer news LIVE: Saudis set to offer Mohamed Salah £65m, Marcus Rashford EXCLUSIVE, Trent Alexander-Arnold TWIST

L’Oreal’s new skin testing suite paid me such a nice compliment, I nearly stole it from the demo room

Israel, Hamas appear to agree on tentative Gaza ceasefire deal: officials – National

Thousands of WordPress websites hit in new malware attack, here’s what we know

Privacy of millions worldwide compromised as huge data location broker got hacked

Security flaw in top WordPress plugin could allow for Stripe refunds on millions of sites

Share This Post

or copy the link

Related News

Write a Reply Cancel

You may be interested