skip to content
Decrypt LOL

Get Cyber-Smart in Just 5 Minutes a Week

Decrypt delivers quick and insightful updates on cybersecurity. No spam, no data sharing—just the info you need to stay secure.

Read the latest edition

WPForms Vulnerability Affects Millions of WordPress Sites

/ 1 min read

💸 Critical WPForms vulnerability exposes millions of WordPress sites to Stripe refund exploitation. A high-severity flaw, tracked as CVE-2024-11205, affects WPForms versions 1.8.4 to 1.9.2.1, allowing authenticated users, including subscribers, to issue arbitrary Stripe refunds and cancel subscriptions due to inadequate capability checks in AJAX functions. Discovered by security researcher ‘vullu164,’ the vulnerability could impact over 3 million sites still using outdated versions of the plugin. A patch was released in version 1.9.2.2 on November 18, 2024, which implements proper authorization mechanisms. Website owners are urged to upgrade immediately or disable the plugin to prevent potential revenue loss and customer trust issues. Wordfence has not yet detected active exploitation of this vulnerability.

Source
{entry.data.source.title}
Original