Wordpress: WPForms plug-in tears security hole in 6 million websites
Attackers can abuse a loophole in the Wordpress plug-in WPForms to reverse payments, for example. Six million websites use the plug-in.
(Image: Bild erstellt mit KI in Bing Designer durch heise online / dmk)
IT security researchers have discovered a vulnerability in the WordPress plug-in WPForms that could allow attackers to refund payments or cancel subscriptions, for example. Updated software is available that fixes the vulnerability.
In a blog post, the company Wordfence writes that registered users with subscriber access or higher rights can refund payments and cancel subscriptions. This is due to a missing check of the capabilities in the wpforms_is_admin_page function, which allows unauthorized changes to data (CVE-2024-11205, CVSS 8.5, risk"high").
WPForms: Updated plug-in version available
The Wordpress plug-in WPForms is one of the most popular extensions and is used on more than six million Wordpress sites. WPForms is used to create forms such as contact forms, feedback forms, subscription forms and so on. Users can easily create such forms with drag-and-drop. Vulnerable versions are 1.8.4 to 1.9.2.1 inclusive, WPForms 1.9.2.2 and newer versions patch the vulnerability. The update has been available since November 18th.
Videos by heise
Wordpress admins should ensure that the latest version of WPForms is installed in their Wordpress instance, Wordfence recommends. The IT researchers also discuss the error in the source code in more detail in the blog post.
Wordpress plug-ins repeatedly make Wordpress instances vulnerable. At the end of November, for example, it became known that there were two critical security gaps in the Wordpress plug-in Anti-Spam by Cleantalk. Attackers from the web were able to completely compromise vulnerable instances without prior authentication. The plug-in is used on more than 200,000 websites.
(dmk)
