WPFORMS plugin vulnerability for WordPress: How can attack can change subscriptions and recover money

WPFORMS plugin for WordPress, which is widely used on many sites, has been detected with serious vulnerability. This vulnerability allows the attackers to change subscriptions and restore money.

"Vulnerability in WPFORMS Plugin for WordPress has been revealed, which allows unauthorized data modification due to the lack of verification of capabilities in the function 'wpforms_is_admin_page' in versions from 1.8.4 to 1.9.2.1. This makes it possible for authenticated malefactors.

🚀 In this context, it is important to understand that "lack of possibilities" means that the plugin does not check whether the user has the appropriate permits to make changes using this feature. This means that the plugin allows attackers who do not have sufficient privileges to change data. The attackers must have at least a subscriber's rights to start the attack. This can cause a high level of seriousness of this attack, as sites where users pay for subscription probably have users with the rights of the subscriber.

• 📌 The WPFORMS Vulnerability for WordPress has been detected, which allows unauthorized data modification.
• 📌 The plugin does not check whether the user has sufficient rights to change.
• 📌 The attackers can be attacked by at least the rights of the subscriber.
• 📌 It is recommended to update the WPFORMS plugin to the latest version.