The WPForms plugin for WordPress exposes websites to a vulnerability that allows attackers to update subscriptions and issue refunds. This flaw enables attackers to modify data they normally should not have access to.
Missing Capability Check
The vulnerability is due to a missing capability check in a function within the plugin called wpforms_is_admin_page, which means that the plugin doesn’t check for appropriate permissions of the user attempting to make a change with this function. That means that the plugin allows data to be modified by attackers lacking sufficient privileges.
Attackers need to acquire at least subscriber level permissions in order to launch an attack. Normally this kind of attack doesn’t attain this high of a severity rating. But it may be because sites that have users that pay for a subscription are likely to have subscriber level users. This may be why the severity level of this authenticated attack is higher than general.
The Wordfence announcement explains it like this:
“The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘wpforms_is_admin_page’ function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.”
It’s recommended that users of versions WPForms plugin users from versions 1.8.4 up to an including 1.9.2.1 update their plugins.
Read the Wordfence security alert:
WPForms 1.8.4 – 1.9.2.1 – Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation
Featured Image by Shutterstock/Tithi Luadthong
Newspaper Ads Canyon Crest CA
Click To See Full Page Ads
Click To See Half Page Ads
Click To See Quarter Page Ads
Click To See Business Card Size Ads
If you have questions before you order, give me a call @ 951-235-3518 or email @ canyoncrestnewspaper@gmail.com
Like us on Facebook Here
11 free Chrome extensions you need for SEO
Chrome extensions are the unsung heroes of SEO, quietly working behind the scenes to make...
Daily Search Forum Recap: January 16, 2025
Barry Schwartz is the CEO of RustyBrick and a technologist, a New York Web service firm...
0 Comments