CVE-2024-11205

CVSS 3.1 Score 8.5 of 10 (high)

Details

Published Dec 10, 2024
CWE ID 862

Summary

CVE-2024-11205 is a vulnerability affecting the WPForms plugin used in WordPress websites. In versions 1.8.4 through 1.9.2.1, there is a missing capability check on the 'wpforms_is_admin_page' function. This issue allows authenticated attackers, including those with Subscriber-level access, to bypass restrictions and perform unauthorized modifications. Specifically, they can refund payments and cancel subscriptions. This vulnerability poses a significant risk to WordPress sites utilizing the WPForms plugin and requires immediate remediation.

Ligh bulbPrevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.

Share