The widely used WPForms plugin, installed on up to 6 million WordPress websites, has patched a critical vulnerability that could expose sites to unauthorized data modifications. The flaw allows attackers to update subscriptions and issue refunds without proper privileges.

The Root Cause: Missing Capability Check

The vulnerability lies in the wpforms_is_admin_page function, which lacks a capability check. This oversight fails to verify user permissions, enabling attackers to modify data even with basic subscriber-level access.

Key Details:

Affected Versions: WPForms versions 1.8.4 to 1.9.2.1.
Impact: Unauthorized subscription updates and payment refunds.
Severity: High, especially for sites with subscriber-level users who pay for services.
Access Requirements: Attackers need subscriber-level credentials to exploit this flaw.

According to Wordfence, this vulnerability is severe due to the potential impact on websites with paid memberships or subscriptions.

Wordfence Statement:

“The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpforms_is_admin_page function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.”

What Should Site Owners Do?

To safeguard your site, it’s critical to take immediate action:

Update the Plugin: Upgrade WPForms to version 1.9.2.2 or higher.
Review Permissions: Audit user roles and ensure that subscriber-level accounts are only assigned when necessary.
Monitor Activity: Keep an eye on suspicious activity, particularly subscription or refund modifications.