WPForms 1.8.4 – 1.9.2.1 – Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation | CVE 2024-11205 | Plugin Vulnerabilities

Description

The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.

Affects Plugins

Fixed in 1.9.2.2

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/66898509-a93c-4dc3-bf01-1743daaa0ff1

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

villu164

Verified

No

WPVDB ID

4e8abd1c-47ff-4f74-a9dd-d827b0fa57c8

Timeline

Publicly Published

2024-12-09 (about 1 year ago)

Added

2024-12-17 (about 1 year ago)

Last Updated

2024-12-17 (about 1 year ago)

Other

Published

Title

Published

2026-02-08

Title

AI ChatBot with ChatGPT and Content Generator by AYS < 2.7.5 - Missing Authorization

Published

2024-11-12

Title

Kognetiks Chatbot for WordPress < 2.1.8 - Missing Authorization to Authenticated (Subscriber+) Assistant Update

Published

2022-11-28

Title

Theme and plugin translation for Polylang < 3.2.17 - Unauthenticated Translation Settings Update

Published

2023-11-09

Title

Japanized For WooCommerce < 2.6.5 - Missing Authorization

Published

2026-02-18

Title

SEO Plugin by Squirrly SEO < 12.4.15 - Missing Authorization to Authenticated (Subscriber+) Cloud Service Disconnection