Security flaw in WPForms plugin exposes millions of WordPress sites to unauthorized Stripe refunds

bleepingcomputer.com — December 10, 2024 at 10:01 PM UTC

A security flaw in WPForms, a popular WordPress plugin used on over 6 million sites, allows subscriber-level users to issue unauthorized Stripe refunds and cancel subscriptions. The vulnerability, tracked as CVE-2024-11205, affects versions 1.8.4 to 1.9.2.1. The issue arises from improper checks in the plugin's code, enabling any authenticated user to access sensitive functions. A patch was released in version 1.9.2.2 on November 18, 2024, which added necessary security measures. About half of WPForms users are still on older versions, leaving at least 3 million sites potentially vulnerable. While no active exploitation has been reported, users are advised to update to the latest version or disable the plugin.

With a significance score of 3.5, this news ranks in the top 9.1% of today's 32691 analyzed articles.

Get summaries of news with significance over 5.5 (usually ~10 stories per week). Read by 10,000+ subscribers: