CVE-2024-11205 HIGH

CVE-2024-11205: WPForms 1.8.4 - 1.9.2.1 - Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation

Vendor Smub
Product WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
Weakness CWE-862 · Missing authorization
Published December 10, 2024
Last update December 10, 2024
View on NVD All CVEs

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N

What the vulnerability does

01Description

The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.

Key dates

02Disclosure timeline

December 10, 2024 CVE published
December 10, 2024 Record updated

Related vulnerabilities

04Related CVE

CVE-2024-12296 Apus Framework <= 2.4 - Authenticated (Subscriber+) Arbitrary Options Update in import_page_options CVE-2026-25327 WordPress Five Star Restaurant Reservations plugin <= 2.7.9 - Broken Access Control vulnerability CVE-2025-39465 WordPress Advanced Google Maps plugin <= 5.8.4 - Broken Access Control vulnerability CVE-2023-2791 Playbooks lets you edit arbitrary posts CVE-2023-36504 WordPress BBS e-Popup plugin <= 2.4.5 - Broken Access Control vulnerability