The WPForms plugin for WordPress has a security issue that lets attackers change subscriptions and process refunds. This problem gives them access to modify data they shouldn’t normally be able to change.
Missing Capability Check
The vulnerability arises from a missing permission check in a function called wpforms_is_admin_page within the plugin. This oversight allows users without the right permissions to make changes, which can put the site at risk from attackers. Attackers need to have at least subscriber-level access to exploit this issue. Normally, attacks like this do not get rated very high for severity.
However, since sites with paid subscribers typically have users at the subscriber level, the risk is seen as greater in this case. Therefore, it is important for users of the WPForms plugin, specifically versions 1.8.4 through 1.9.2.1, to update their plugins.
Read the Wordfence security alert:
WPForms 1.8.4 – 1.9.2.1 – Missing Authorization to Authenticated (Subscriber+) Payment Refund and Subscription Cancellation
