MalCare Shields Over 6,000,000 Sites Against Critical Vulnerability in WPForms Plugin

On October 23rd, 2024, a critical vulnerability was discovered in the WPForms plugin. This vulnerability affects versions of the plugin from v1.8.4 up to and including v1.9.2.1. 

It allows attackers with subscriber-level access and above to refund Stripe payments and cancel Stripe subscriptions without proper authorization. If exploited, they could cause unauthorized financial transactions on your site.

If you are using this plugin, we recommend updating the plugin to the patched version v1.9.2.2 immediately. Additionally, scan your site to identify any potential issues and address them promptly.

What is the vulnerability?

If your website is one of the 6,000,000 sites using the WPForms plugin, there’s an important security issue you should know about. It’s called the Missing Authorization vulnerability, and it affects versions v1.8.4 through v1.9.2.1.

This vulnerability enables unauthorized users with basic access, like subscribers, to refund payments or cancel subscriptions through Stripe. This means individuals who shouldn’t have control over these actions could potentially disrupt your financial transactions.

Should you be worried?

Yes, this is a serious concern. The Missing Authorization vulnerability in the WPForms plugin is critical, with a CVSS score of 8.5, indicating a high-level threat.

This vulnerability allows unauthorized users to manipulate financial transactions on your site, which could lead to significant issues. It is essential to update the plugin to version v1.9.2.2 without delay to protect your website from potential exploitation.

What should you do next?

To ensure your site remains protected, taking immediate action is important. Here’s what you need to do:

What if your site is already compromised?

If you have a hunch your site’s been compromised, it’s important to tackle the issue right away. Here’s what to do next:

Technical details of the vulnerabilities

Issue

The WPForms plugin has a Missing Authorization vulnerability. This issue enables users with minimal access, such as subscribers, to carry out unauthorized actions. 

These actions include refunding payments and canceling subscriptions through Stripe. Due to the lack of proper authorization checks, users can interfere with financial transactions without the necessary permissions. This poses a significant security risk to your site’s operations.

Root cause

The core issue in the WPForms plugin is insufficient checks on user permissions for specific actions. This oversight means that the system doesn’t verify if users are authorized to perform actions like refunding payments or canceling subscriptions through Stripe.

Two functions, ajax_single_payment_refund() and ajax_single_payment_cancel() are at the center of this problem. These functions manage these financial transactions but do not properly check if users have the right level of access. 

As a result, even users with minimal access, such as subscribers, can initiate these actions without the necessary permissions.

Timeline

How MalCare protects your site

If you are a MalCare user, your site is safeguarded against the Missing Authorization vulnerability in the WPForms plugin. MalCare’s advanced Atomic Security firewall is designed to shield your site from such risks without needing any manual intervention. Here’s how:

How to keep your site secure

Ensuring your WordPress site remains secure is crucial for protecting against potential threats and vulnerabilities. Here are some basic measures to take to improve your site’s protection:

1. Install a security plugin: Opt for a reliable security plugin, like MalCare, to strengthen your site. Your security plugin should offer features like as malware detection, firewall protection, and activity monitoring to help safeguard your site.
2. Schedule regular backups: Make it a habit to backup your website’s files and database frequently. This allows for quick restoration if any problems occur.
3. Update everything: Regularly update your WordPress core, themes, and plugins. Developers issue updates to patch security vulnerabilities, so applying these promptly is essential.
4. Use strong passwords: Set complex, unique passwords for all website-related accounts, including those for admin, FTP, and databases. A password manager can assist in generating and securely storing these passwords.
5. Enable two-factor authentication: Enabling two-factor authentication adds an extra layer of security by requiring a second verification step, such as entering a code sent to your phone. This makes it significantly more difficult for unauthorized users to gain access.
6. Monitor site activity: Keep an attentive eye on your site’s activity and logs to quickly detect any unusual behavior. This approach helps in addressing potential threats before they escalate into bigger issues.