The widely used WPForms plugin, installed on up to 6 million WordPress websites, has patched a critical vulnerability that could expose sites to unauthorized data modifications. The flaw allows attackers to update subscriptions and issue refunds without proper privileges.
The Root Cause: Missing Capability Check
The vulnerability lies in the wpforms_is_admin_page
function, which lacks a capability check. This oversight fails to verify user permissions, enabling attackers to modify data even with basic subscriber-level access.
Key Details:
- Affected Versions: WPForms versions 1.8.4 to 1.9.2.1.
- Impact: Unauthorized subscription updates and payment refunds.
- Severity: High, especially for sites with subscriber-level users who pay for services.
- Access Requirements: Attackers need subscriber-level credentials to exploit this flaw.
According to Wordfence, this vulnerability is severe due to the potential impact on websites with paid memberships or subscriptions.
Wordfence Statement:
“The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the wpforms_is_admin_page
function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.”
What Should Site Owners Do?
To safeguard your site, it’s critical to take immediate action:
- Update the Plugin: Upgrade WPForms to version 1.9.2.2 or higher.
- Review Permissions: Audit user roles and ensure that subscriber-level accounts are only assigned when necessary.
- Monitor Activity: Keep an eye on suspicious activity, particularly subscription or refund modifications.
How to Update WPForms
- Log in to your WordPress dashboard.
- Navigate to Plugins > Installed Plugins.
- Locate WPForms and click Update Now if an update is available.
Stay Secure
Maintaining updated plugins is a crucial aspect of website security. Regularly monitor your WordPress environment and stay informed about vulnerabilities to mitigate risks.