WPForms Plugin Vulnerability Exposes 6 Million Sites to Risk – Urgent Update Required
Security Flaw in WPForms Affects Millions of WordPress Sites – Learn How to Protect Your Website
2 min readHighlights
- WPForms plugin flaw lets attackers modify payments and cancel subscriptions with minimal access.
- The vulnerability stems from a missing capability check in the wpforms_is_admin_page function.
- Up to 6 million websites affected; users urged to update their WPForms versions immediately.
Source: wikimedia commons_wpforms-plugin-vulnerability-update-required
The WPForms plugin for WordPress has a serious security flaw that could impact up to 6 million websites. This vulnerability enables unauthorized users to modify subscription details and issue refunds, actions they should not be able to perform. The issue arises due to a lack of proper user permission checks in the plugin’s code, allowing attackers with low-level subscriber access to manipulate sensitive data. The vulnerability has been patched, and it is crucial for website owners using WPForms versions 1.8.4 through 1.9.2.1 to update their plugins immediately to prevent potential exploitation.
WPForms Vulnerability: Attackers Can Modify Payments and Subscriptions
A critical security flaw in the WPForms plugin for WordPress affects versions 1.8.4 to 1.9.2.1, allowing attackers to manipulate sensitive data on up to 6 million websites. The vulnerability stems from a missing capability check in the wpforms_is_admin_page function, which fails to properly validate user permissions. This flaw enables attackers with at least subscriber-level access to issue refunds and cancel subscriptions, actions normally restricted to higher privilege users. While such an attack is uncommon, it is particularly severe for sites with paying subscribers, where the attacker can exploit the flaw to cause financial damage. It’s crucial that website owners update their WPForms plugin to the latest version to mitigate this risk.
The Wordfence announcement explains it like this:
“The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘wpforms_is_admin_page’ function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.”
For full details, refer to the security alert by Wordfence: WPForms 1.8.4 – 1.9.2.1 vulnerability.
