Unrated severityNVD Advisory· Published Dec 10, 2024· Updated Dec 10, 2024
WPForms 1.8.4 - 1.9.2.1 - Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation
CVE-2024-11205
Description
The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
3- smub/WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & Morev5Range: 1.8.4
Patches
Vulnerability mechanics
References
5- plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.9.2.1/includes/functions/checks.phpmitre
- plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.9.2.1/src/Integrations/Stripe/Admin/Payments/SingleActionsHandler.phpmitre
- plugins.trac.wordpress.org/browser/wpforms-lite/tags/1.9.2.1/src/Integrations/Stripe/Admin/Payments/SingleActionsHandler.phpmitre
- plugins.trac.wordpress.org/changeset/3191229/wpforms-litemitre
- www.wordfence.com/threat-intel/vulnerabilities/id/66898509-a93c-4dc3-bf01-1743daaa0ff1mitre
News mentions
0No linked articles in our index yet.