A vulnerability was discovered in WPFormsa WordPress plugin used by more than six million sites. As reported by our colleagues at Bleeping Computer, the breach was discovered by a security researcher who calls himself villu164 at the end of October. The researcher then notified the WordFence team, a security plugin for WordPress. In exchange for his discovery, he received a bounty of $2,376 a few days later.
Also read: The data of 125 million Internet users was exposed by 900 websites
Unauthorized refunds
Available in paid or free version with limitations, the plugin allows you to easily create personalized forms for WordPress sites. It is possible to design contact forms, feedback forms, subscription forms and payment forms. It is compatible with several online payment managers, including PayPal and Stripe.
By exploiting the flaw, an Internet user is likely toissue a refund on Stripe without the consent of the site administrators. De facto, a consumer can obtain a refund from an online store after placing an order.
“This vulnerability allows authenticated malicious users, with Subscriber rights or higher, to refund Stripe payments and cancel Stripe subscriptions, even though they should not have this type of authorization”underlines WordFence in its report.
Furthermore, the user can cancel a subscription arbitrarily. This is obviously dramatic for all website owners. Vulnerability actually puts their income at risk.
The malfunction is in a function intended to check whether a request comes from a page or an administrative path (for example, the WordPress dashboard). However, it does not check the permissions of the user making the request. In other words, it does not ensure that the user who issues the request has the necessary rights to access this data or these actions. Ultimately, any user can issue commands reserved for administrators.
A fix has been deployed
Versions 1.8.4 and up to 1.9.2.1 of the plugin are affected. To correct the situation, the developers of Awesome Motive, the group behind WPForms, have integrated a fix within the plugin update 1.9.2.2.
WordFence encourage “WordPress users to verify that their sites are updated with the latest patched version of WPForms as soon as possible given the critical nature of this vulnerability”. Based on WordPress statistics, more than three million sites are still vulnerable.
This is far from the first time that a flaw in a popular WordPress plugin has put millions of websites at risk. Last month, a flaw in Really Simple Security, a security-focused WordPress plugin, allowed a remote attacker to gain full administrator access to more than 4 million sites. A few months earlier, a vulnerability in the Popup Builder plugin even caused thousands of sites to be hacked.
???? To not miss any news from 01net, follow us on Google News and WhatsApp.
Source :
Bleeping Computer
Related News :