A WordPress plug-in could potentially allow subscriber-level users to issue arbitrary Stripe refunds or cancel subscriptions. This poses a potential risk to those who use WordPress for e-commerce.
Dr. Howard Goodman, Senior Technical Director at Skybox has examined the recent vulnerability in WPForms. This is a WordPress plugin used by over 6 million websites.
Goodman presents the case as to why this newly identified vulnerability is a matter of concern: “The recent discovery of CVE-2024-11205—a serious vulnerability in WPForms – highlights the urgent need for businesses and website owners to act against known threats before attackers can exploit them.”
As to the specific threat posed, he notes: “This vulnerability allows even low-privilege users, such as subscribers, to issue unauthorized Stripe refunds or cancel subscriptions, potentially causing significant financial and operational damage.”
A solution is available, although Goodman is concerned about the take-up rate: “Although a fix for this issue has been released, nearly half of the affected websites remain unpatched, leaving millions of sites vulnerable. This underscores the importance of applying updates promptly to prevent exploitation.”
WordPress sites have long been targeted
Goodman also notes there are factors that continue to make WordPress the target for criminals: “Unfortunately, WordPress sites have long been targeted due to outdated plugins and themes, even as their functionality and accessibility continue to make them widely used.”
This means administrators should be proactive. Here Goodman recommends: “Website administrators should prioritize updating plugins, themes, and core software to the latest versions as soon as fixes become available.”
Goodman also proposes: “Maintaining an accurate inventory of site components and monitoring for vulnerabilities are also critical steps. Understanding how attackers might exploit vulnerabilities can help focus efforts on the most critical areas.”
There are other measures that can be adopted, observes Goodman: “In cases where immediate updates are not feasible, additional security measures, such as restricting access to sensitive functions and implementing stricter authentication controls, can reduce risk. Staying informed about emerging threats and leveraging real-time monitoring tools can also provide early warnings, enabling swift action before vulnerabilities are exploited.”
Rounding up his assessment, Goodman provides a salutary warning: “The key lesson is this: cybercriminals thrive on delays and gaps in security. Addressing vulnerabilities like CVE-2024-11205 promptly is not just about patching; it’s about maintaining trust, protecting users, and safeguarding operations in an increasingly hostile online environment.”
Summing up, Goodman notes: “Vigilance and proactive security are the cornerstones of resilience in today’s digital landscape.”
