CVE-2024-11205: CWE-862 Missing Authorization in smub WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
CVE-2024-11205 is a high-severity vulnerability in the WPForms WordPress plugin (versions 1. 8. 4 through 1. 9. 2. 1) caused by missing authorization checks in the 'wpforms_is_admin_page' function. Authenticated users with Subscriber-level access or higher can exploit this flaw to refund payments and cancel subscriptions without proper permissions. The vulnerability impacts confidentiality and integrity by allowing unauthorized financial modifications, but does not affect availability. Exploitation requires authentication but no user interaction beyond login. No known exploits are currently in the wild.
AI Analysis
Technical Summary
CVE-2024-11205 is a missing authorization vulnerability (CWE-862) in the WPForms plugin for WordPress, specifically in versions from 1.8.4 up to and including 1.9.2.1. The root cause is the absence of a capability check in the 'wpforms_is_admin_page' function, which is intended to restrict access to administrative actions. Due to this flaw, authenticated users with minimal privileges (Subscriber role or higher) can perform unauthorized actions such as refunding payments and canceling subscriptions. This bypasses intended access controls and allows attackers to manipulate financial transactions managed through WPForms. The vulnerability does not require user interaction beyond authentication, and the attack surface is remote network-based. The CVSS 3.1 base score is 8.5, reflecting network attack vector, low attack complexity, privileges required at a low level, no user interaction, and a scope change with partial confidentiality loss and high integrity impact. No public exploits are currently known, but the vulnerability is publicly disclosed and should be considered exploitable. The plugin is widely used for contact forms, payment forms, and surveys, making this a significant risk for WordPress sites handling payments or subscriptions.
Potential Impact
The vulnerability allows unauthorized modification of payment and subscription data, leading to potential financial losses, fraud, and disruption of business operations. Attackers with minimal privileges can refund payments or cancel subscriptions without authorization, undermining trust in the affected websites. This can result in revenue loss, customer dissatisfaction, and reputational damage. Since WPForms is a popular plugin used globally, the impact can be widespread, especially for e-commerce, membership, and subscription-based websites. The confidentiality of payment data may be partially compromised, and the integrity of financial transactions is severely affected. Availability is not impacted directly, but business continuity could be disrupted due to fraudulent activities. Organizations relying on WPForms for payment processing are at significant risk until the vulnerability is remediated.
Mitigation Recommendations
1. Immediately update WPForms to a patched version once available from the vendor to ensure proper authorization checks are enforced. 2. Until an official patch is released, restrict Subscriber and other low-privilege roles from accessing WPForms administrative pages by implementing custom role-based access controls or using security plugins that can enforce capability restrictions. 3. Monitor logs for unusual refund or subscription cancellation activities originating from low-privilege accounts. 4. Implement multi-factor authentication (MFA) for all WordPress user accounts to reduce the risk of compromised credentials being used to exploit this vulnerability. 5. Regularly audit user roles and permissions to ensure that only trusted users have elevated privileges. 6. Consider temporarily disabling payment and subscription management features in WPForms if feasible until the vulnerability is resolved. 7. Employ web application firewalls (WAFs) with rules tailored to detect and block suspicious WPForms administrative requests from unauthorized users. 8. Educate site administrators and users about the risk and encourage prompt application of security updates.
Affected Countries
United States, United Kingdom, Germany, Canada, Australia, France, India, Brazil, Netherlands, Japan, Italy, Spain, South Africa
CVE-2024-11205: CWE-862 Missing Authorization in smub WPForms – Easy Form Builder for WordPress – Contact Forms, Payment Forms, Surveys, & More
Description
CVE-2024-11205 is a high-severity vulnerability in the WPForms WordPress plugin (versions 1. 8. 4 through 1. 9. 2. 1) caused by missing authorization checks in the 'wpforms_is_admin_page' function. Authenticated users with Subscriber-level access or higher can exploit this flaw to refund payments and cancel subscriptions without proper permissions. The vulnerability impacts confidentiality and integrity by allowing unauthorized financial modifications, but does not affect availability. Exploitation requires authentication but no user interaction beyond login. No known exploits are currently in the wild.
AI-Powered Analysis
Technical Analysis
CVE-2024-11205 is a missing authorization vulnerability (CWE-862) in the WPForms plugin for WordPress, specifically in versions from 1.8.4 up to and including 1.9.2.1. The root cause is the absence of a capability check in the 'wpforms_is_admin_page' function, which is intended to restrict access to administrative actions. Due to this flaw, authenticated users with minimal privileges (Subscriber role or higher) can perform unauthorized actions such as refunding payments and canceling subscriptions. This bypasses intended access controls and allows attackers to manipulate financial transactions managed through WPForms. The vulnerability does not require user interaction beyond authentication, and the attack surface is remote network-based. The CVSS 3.1 base score is 8.5, reflecting network attack vector, low attack complexity, privileges required at a low level, no user interaction, and a scope change with partial confidentiality loss and high integrity impact. No public exploits are currently known, but the vulnerability is publicly disclosed and should be considered exploitable. The plugin is widely used for contact forms, payment forms, and surveys, making this a significant risk for WordPress sites handling payments or subscriptions.
Potential Impact
The vulnerability allows unauthorized modification of payment and subscription data, leading to potential financial losses, fraud, and disruption of business operations. Attackers with minimal privileges can refund payments or cancel subscriptions without authorization, undermining trust in the affected websites. This can result in revenue loss, customer dissatisfaction, and reputational damage. Since WPForms is a popular plugin used globally, the impact can be widespread, especially for e-commerce, membership, and subscription-based websites. The confidentiality of payment data may be partially compromised, and the integrity of financial transactions is severely affected. Availability is not impacted directly, but business continuity could be disrupted due to fraudulent activities. Organizations relying on WPForms for payment processing are at significant risk until the vulnerability is remediated.
Mitigation Recommendations
1. Immediately update WPForms to a patched version once available from the vendor to ensure proper authorization checks are enforced. 2. Until an official patch is released, restrict Subscriber and other low-privilege roles from accessing WPForms administrative pages by implementing custom role-based access controls or using security plugins that can enforce capability restrictions. 3. Monitor logs for unusual refund or subscription cancellation activities originating from low-privilege accounts. 4. Implement multi-factor authentication (MFA) for all WordPress user accounts to reduce the risk of compromised credentials being used to exploit this vulnerability. 5. Regularly audit user roles and permissions to ensure that only trusted users have elevated privileges. 6. Consider temporarily disabling payment and subscription management features in WPForms if feasible until the vulnerability is resolved. 7. Employ web application firewalls (WAFs) with rules tailored to detect and block suspicious WPForms administrative requests from unauthorized users. 8. Educate site administrators and users about the risk and encourage prompt application of security updates.
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- Wordfence
- Date Reserved
- 2024-11-14T01:40:30.567Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 699f6e0ab7ef31ef0b59413f
Added to database: 2/25/2026, 9:47:54 PM
Last enriched: 2/26/2026, 7:41:03 AM
Last updated: 2/26/2026, 8:34:17 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-1698: CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax in arcinfo PcVue
MediumCVE-2026-1697: CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in arcinfo PcVue
MediumCVE-2026-1696: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in arcinfo PcVue
LowCVE-2026-1695: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in arcinfo PcVue
MediumCVE-2026-1694: CWE-201 Insertion of Sensitive Information into Sent Data in arcinfo PcVue
LowActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.