CVE-2024-11205

High CVSS 8.5

Overview

The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.

CWE: CWE-862 Published: 2024-12-10T05:15:05.510

Risk analysis

This vulnerability is rated 🟠 HIGH.

CVSS: 8.5 (HIGH)
Detected tags: wordpress (tag impact: LOW)

Recommended actions:

Prioritize remediation based on business criticality and exposure.
Limit exposure and increase monitoring until fixed.

Overview

Recommended tools

Tags