Connect with us

Hi, what are you looking for?

Tech & Science

Warning over new WordPress transactions vulnerability

This vulnerability allows even low-privilege users to issue unauthorized Stripe refunds.

Image by Raymangold22 / Wikimedia (CC0 1.0)
Image by Raymangold22 / Wikimedia (CC0 1.0)

A WordPress plug-in could potentially allow subscriber-level users to issue arbitrary Stripe refunds or cancel subscriptions. This poses a potential risk to those who use WordPress for e-commerce.

Dr. Howard Goodman, Senior Technical Director at Skybox has examined the recent vulnerability in WPForms. This is a WordPress plugin used by over 6 million websites.

Goodman presents the case as to why this newly identified vulnerability is a matter of concern: “The recent discovery of CVE-2024-11205—a serious vulnerability in WPForms – highlights the urgent need for businesses and website owners to act against known threats before attackers can exploit them.”

As to the specific threat posed, he notes: “This vulnerability allows even low-privilege users, such as subscribers, to issue unauthorized Stripe refunds or cancel subscriptions, potentially causing significant financial and operational damage.”

A solution is available, although Goodman is concerned about the take-up rate: “Although a fix for this issue has been released, nearly half of the affected websites remain unpatched, leaving millions of sites vulnerable. This underscores the importance of applying updates promptly to prevent exploitation.”

WordPress sites have long been targeted

Goodman also notes there are factors that continue to make WordPress the target for criminals: “Unfortunately, WordPress sites have long been targeted due to outdated plugins and themes, even as their functionality and accessibility continue to make them widely used.”

This means administrators should be proactive. Here Goodman recommends: “Website administrators should prioritize updating plugins, themes, and core software to the latest versions as soon as fixes become available.”

Goodman also proposes: “Maintaining an accurate inventory of site components and monitoring for vulnerabilities are also critical steps. Understanding how attackers might exploit vulnerabilities can help focus efforts on the most critical areas.”

There are other measures that can be adopted, observes Goodman: “In cases where immediate updates are not feasible, additional security measures, such as restricting access to sensitive functions and implementing stricter authentication controls, can reduce risk. Staying informed about emerging threats and leveraging real-time monitoring tools can also provide early warnings, enabling swift action before vulnerabilities are exploited.”

Rounding up his assessment, Goodman provides a salutary warning: “The key lesson is this: cybercriminals thrive on delays and gaps in security. Addressing vulnerabilities like CVE-2024-11205 promptly is not just about patching; it’s about maintaining trust, protecting users, and safeguarding operations in an increasingly hostile online environment.”

Summing up, Goodman notes: “Vigilance and proactive security are the cornerstones of resilience in today’s digital landscape.”

Avatar photo
Written By

Dr. Tim Sandle is Digital Journal's Editor-at-Large for science news. Tim specializes in science, technology, environmental, business, and health journalism. He is additionally a practising microbiologist; and an author. He is also interested in history, politics and current affairs.

You may also like:

World

The Chinese New Year, the Year of the Snake, begins Wednesday.

World

Scores of prisoners were reunited with their families - Copyright AFP John WesselsYemen’s Iran-backed Huthi rebels, who are poised to return to the US...

Social Media

Tens of thousands of Germans rallied Saturday against the far right ahead of next month's legislative elections.

Life

A recent study by the company Edumentors analysed major cities around the UK to determine which locations are the easiest for students.