The WPForms plugin for WordPress exposes websites to a vulnerability that allows attackers to update subscriptions and issue refunds. This flaw enables attackers to modify data they normally should not have access to.
Missing Capability Check
The vulnerability is due to a missing capability check in a function within the plugin called wpforms_is_admin_page, which means that the plugin doesn’t check for appropriate permissions of the user attempting to make a change with this function. That means that the plugin allows data to be modified by attackers lacking sufficient privileges.
Attackers need to acquire at least subscriber level permissions in order to launch an attack. Normally this kind of attack doesn’t attain this high of a severity rating. But it may be because sites that have users that pay for a subscription are likely to have subscriber level users. This may be why the severity level of this authenticated attack is higher than general.
The Wordfence announcement explains it like this:
“The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘wpforms_is_admin_page’ function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.”
It’s recommended that users of versions WPForms plugin users from versions 1.8.4 up to an including 1.9.2.1 update their plugins.
Read the Wordfence security alert:
Related: WordPress Security: 16 Steps to Secure & Protect Your Site
Featured Image by Shutterstock/Tithi Luadthong
