CVE-2024-11205
HIGHWPForms 1.8.4-1.9.2.1 - Authenticated Unauthorized Payment Modification via Missing Capability Check
Title source: llmDescription
The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.
References (5)
Core 5
Core References
Scores
CVSS v3
8.5
EPSS
0.0072
EPSS Percentile
49.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-862
Status
published
Products (1)
wpforms/wpforms
1.8.4 - 1.9.2.2
Published
Dec 10, 2024
Tracked Since
Feb 18, 2026