FlagThis

A critical vulnerability, identified as CVE-2024-11205, has been discovered in the WPForms plugin for WordPress. This security flaw impacts plugin versions 1.8.4 through 1.9.2.1. The issue arises from a missing authorization check within the wpforms_is_admin_page function, which allows attackers with even Subscriber-level privileges to perform unauthorized actions. Specifically, malicious actors could potentially refund payments and cancel subscriptions. This exploit could result in significant financial losses and disruptions for website owners using the affected WPForms plugin.

The vulnerability highlights the critical need for proactive security measures within WordPress environments. A fix is available in plugin version 9.1.2.2 or later, and administrators are urged to update immediately. Website operators should review user permissions, enable two-factor authentication, and closely monitor site activity for suspicious behavior. Regular backups are also essential to ensure data integrity in the event of a successful attack. CERT-In has issued alerts to WordPress users, emphasizing the urgency of this situation and the need to apply the latest updates.

ImgSrc: thecyberexpress.com

References:

• @jos1264 - CERT-In Alerts WordPress Users to Critical WPForms Plugin Vulnerability -2024-11205 -In - 5d
• The Cyber Express - CERT-In Alerts WordPress Users to Critical WPForms Plugin Vulnerability - 5d
• thecyberexpress.com - CERT-In Alerts WordPress Users to Critical WPForms Plugin Vulnerability - 4d

Classification:

• HashTags: WordPress Vulnerability CyberSecurity
• Company: WordPress
• Target: WordPress Users
• Product: WPForms Plugin
• Feature: Authorization Check
• Type: Vulnerability
• Severity: Major