CVE-2024-11205
CVSS 3.1 Score 8.5 of 10 (high)
Details
Published Dec 10, 2024
CWE ID 862
Summary
CVE-2024-11205 is a vulnerability affecting the WPForms plugin used in WordPress websites. In versions 1.8.4 through 1.9.2.1, there is a missing capability check on the 'wpforms_is_admin_page' function. This issue allows authenticated attackers, including those with Subscriber-level access, to bypass restrictions and perform unauthorized modifications. Specifically, they can refund payments and cancel subscriptions. This vulnerability poses a significant risk to WordPress sites utilizing the WPForms plugin and requires immediate remediation.
Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.
Share