CVE-2024-11205

Published Dec 10, 2024

Last updated 3 months ago

CVSS high 8.5

Overview

Description
The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.
Source
security@wordfence.com
NVD status
Received

Risk scores

CVSS 3.1

Type
Primary
Base score
8.5
Impact score
4.7
Exploitability score
3.1
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
Severity
HIGH

Weaknesses

security@wordfence.com
CWE-862

Social media

Hype score
Not currently trending

  1. کشف آسیب‌پذیری در WordPress یک آسیب‌پذیری با شناسه CVE-2024-11205 و شدت 8.5 (بالا) در افزونه WPForms وردپرس شناسایی شده است. این نقص امنیتی به مهاجمان اجازه می‌دهد بدون داشتن مجوزهای لازم، تغییرات اساسی در تنظیمات و اشتراک‌های سایت ایجاد کنند.

    @cybernetic_cy

    31 Dec 2024

    112 Impressions

    2 Retweets

    4 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. 1/🚨 WPForms Vulnerability: Stripe Refund Exploit (CVE-2024-11205) 🔍 Overview A critical vulnerability in WPForms (v1.8.4–1.9.2.1) allows subscriber-level users to exploit missing authorization checks to: Perform unauthorized Stripe refunds Cancel subscriptions

    @firexcore

    15 Dec 2024

    20 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    1 Reply

    0 Quotes

  3. به تازگی آسیب پذیری با کد شناسایی CVE-2024-11205 برای یکی از پلاگین‌های Wordpress به نام WPForms منتشر شده است. نسخه های 1.8.4 تا 1.9.2.1 این پلاگین دارای این آسیب پذیری می باشد و در حال حاضر ۶ میلیون وب سایت این پلاگین را نصب نموده اند. https://t.co/Poz3aKYxT1 https://t.co/97lg

    @AmirHossein_sec

    13 Dec 2024

    32 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨 Attention WordPress users! 🚨 A critical vulnerability (CVE-2024-11205) has been found in the WPForms plugin that could leave up to 6 million websites wide open. If you've got subscribers, they could exploit this weakness to issue unauthorized refunds and cancel subscriptions!

    @mpgone_it

    13 Dec 2024

    17 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  5. <セキュリティニュース> WordPressプラグイン「WPForms」で重大な脆弱性 ※1.8.4から1.9.2.1までのバージョン 脆弱性:CVE-2024-11205 対策 :バージョンを「1.9.2.2」以降へ更新 内容 :購読者以上の権限を持つ攻撃者にStripe決済やサブスクリプションをキャンセルされる恐れ… https://t.co/F3fl8D4ogO

    @ColorfulBoxJp

    13 Dec 2024

    87 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. WordPressで人気のプラグイン WPFormsで重大な脆弱性(CVE-2024-11205) https://t.co/keR8vp3bYC

    @01Programing

    11 Dec 2024

    9 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. A vulnerability in WPForms, a WordPress plugin used in over 6 million websites, could allow subscriber-level users to issue arbitrary Stripe refunds or cancel subscriptions. Tracked under CVE-2024-11205, the flaw was categorized as a high-severity. https://t.co/YUyr52l4BO https:/

    @riskigy

    10 Dec 2024

    30 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  8. Wordpress WPform flaw CVE-2024-11205 #Wordpress #WPForms #CVE-2024-11205 https://t.co/3vcSv1aEZf

    @pravin_karthik

    10 Dec 2024

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  9. CVE-2024-11205: Missing Authorization in WPForms Plugin, 8.5 rating❗️ Vuln affecting several functions allows attackers to return payments made through the Stripe system. Search at https://t.co/hv7QKSqxTR: 👉 Link: https://t.co/6J4iMVEF0Y #cybersecurity #vulnerabilty_map https

    @Netlas_io

    10 Dec 2024

    407 Impressions

    2 Retweets

    10 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  10. CVE-2024-11205 WPForms Plugin Vulnerability Allows Unauthorized Data Mod... https://t.co/pQuVlU1cax Don't wait vulnerability scanning results: https://t.co/oh1APvMMnd

    @VulmonFeeds

    10 Dec 2024

    26 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  11. [CVE-2024-11205: HIGH] WordPress WPForms plugin 1.8.4 to 1.9.2.1 is at risk! A missing capability check allows unauthorized data modification. Attackers with Subscriber-level access can cancel subscriptions or re...#cybersecurity,#vulnerability https://t.co/PpIfjldffb https://t.c

    @CveFindCom

    10 Dec 2024

    86 Impressions

    1 Retweet

    0 Likes

    1 Bookmark

    0 Replies

    0 Quotes

  12. Tem umas vulnerabilidades que me impressionam #bolhasec Olha o caso do CVE-2024-11205 (CVSS 8.5) no plugin WPForms A função is_admin não checa se o usuário é admin 🤡😢 https://t.co/y3Jaf94Wfj

    @sushicomabacate

    9 Dec 2024

    3299 Impressions

    4 Retweets

    75 Likes

    3 Bookmarks

    8 Replies

    2 Quotes

References