A critical vulnerability in WPForms, one of the most widely used WordPress plugins with over six million active installations, was discovered in October 2024. The flaw was classified as ‘Missing Authorisation for Payment Refund and Subscription Cancellation,’ enabling authenticated attackers with subscriber-level access or higher to process refunds for Stripe payments and cancel Stripe subscriptions.
The vulnerability is linked to the plugin’s ajax_single_payment_refund() and ajax_single_payment_cancel() functions within the SingleActionsHandler class.
These functions, which handle Stripe payment actions, are accessible due to a missing capability check.
Despite being nonce-protected, the lack of a robust authorisation mechanism within the wpforms_is_admin_ajax() function enables authenticated attackers to exploit this flaw.
By leveraging the nonce, which can be accessed with subscriber-level permissions, malicious actors can trigger unauthorised refunds or cancel subscriptions, potentially leading to significant revenue losses for affected websites.
“While this is a simple vulnerability, this issue makes it possible for authenticated attackers to invoke these AJAX actions and refund Stripe payments or cancel Stripe subscriptions. This can lead to a loss of revenue on sites using WPForms to manage subscriptions,” explained researchers.
Security researchers collaborated with Awesome Motive, the developer, to create a firewall rule that was deployed on November 15. Three days later, Awesome Motive released a patched version of WPForms, 1.9.2.2.
Researchers have urged website administrators using WPForms to update to the latest version. Failure to update may leave sites vulnerable to exploitation, risking financial loss and operational disruptions.
In August, a flaw in the JS Help Desk WordPress plugin affected 5,000 websites. In July, four WordPress plugins — WP Server Health, Ad Invalid Click Protector, PowerPress Podcasting plunging by Blubrry, and SEO Optimised Images — faced supply chain attacks.
In the News: Google reveals new ‘Willow’ quantum computing chip