WordPress is known for its user-friendliness and flexibility due to countless plugins, but it also comes with recurring vulnerabilities. If you manage an online store or subscription platform, be vigilant.
A critical flaw has been discovered in the WPForms plugin, which is utilized by millions of WordPress sites. According to researchers from WordFence, this vulnerability allows regular subscribers to request refunds or cancel subscriptions discreetly through Stripe, an online payment platform used by businesses for managing transactions. While there is currently no evidence of active exploitation, the public disclosure of the flaw should prompt immediate action to implement the available patch.
The WPForms plugin, used by over 6 million WordPress sites, is at the center of this issue due to a critical vulnerability (CVE-2024-11205; CVSS score of 8.5) identified in versions 1.8.4 to 1.9.2.1. This flaw enables low-privilege users to manipulate Stripe payments, posing a significant risk to e-commerce sites and subscription platforms. Developers of WPForms have responded swiftly, releasing a security update (version 1.9.2.2) in mid-November to bolster permission checks and secure critical functions. WordPress site administrators are urged to update WPForms immediately and remain cautious for ongoing security audits.
