The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2024-11205

CVE-2024-11205: WPForms Auth Bypass Vulnerability

CVE-2024-11205 is an authentication bypass flaw in WPForms plugin for WordPress that allows low-privileged users to refund payments and cancel subscriptions. This article covers technical details, affected versions, and mitigation.

Published: January 28, 2026

CVE-2024-11205 Overview

The WPForms plugin for WordPress contains a critical authorization bypass vulnerability due to a missing capability check on the wpforms_is_admin_page function. This flaw affects versions from 1.8.4 up to and including 1.9.2.1, allowing authenticated attackers with Subscriber-level access and above to perform unauthorized administrative actions including refunding payments and canceling subscriptions through the Stripe payment integration.

Critical Impact

Authenticated users with minimal privileges (Subscriber-level) can manipulate payment data, issue unauthorized refunds, and cancel active subscriptions, potentially causing significant financial damage to WordPress site owners.

Affected Products

  • WPForms WordPress Plugin versions 1.8.4 through 1.9.2.1
  • WPForms Lite WordPress Plugin (affected versions)
  • WordPress sites using WPForms with Stripe payment integration

Discovery Timeline

  • 2024-12-10 - CVE-2024-11205 published to NVD
  • 2025-08-12 - Last updated in NVD database

Technical Details for CVE-2024-11205

Vulnerability Analysis

This vulnerability is classified as CWE-862 (Missing Authorization). The core issue lies in the wpforms_is_admin_page function located in the plugin's checks.php file, which fails to properly verify user capabilities before allowing access to sensitive payment management functionality.

The missing capability check enables any authenticated user—including those with the minimal Subscriber role—to interact with the Stripe Admin Payments handler. Specifically, the SingleActionsHandler.php component processes refund and subscription cancellation requests without adequately validating that the requesting user has the administrative privileges required for such financial operations.

The vulnerability is exploitable over the network and requires low attack complexity. While the attacker must be authenticated (at minimum Subscriber-level), no user interaction is required to execute the attack. The impact is focused on data integrity, allowing unauthorized modification of payment records without affecting confidentiality or availability directly.

Root Cause

The root cause is a missing authorization check in the wpforms_is_admin_page function. This function is intended to determine whether the current page is an admin page but fails to verify whether the current user has the appropriate capabilities to perform administrative actions on that page. The Stripe payment handlers rely on this flawed check, inadvertently granting payment management capabilities to low-privileged authenticated users.

Attack Vector

An attacker with a valid Subscriber-level account can exploit this vulnerability by crafting requests to the payment management endpoints. The attack flow involves:

  1. Authenticating to the WordPress site with any valid user account (Subscriber or higher)
  2. Identifying payment or subscription IDs through enumeration or reconnaissance
  3. Sending crafted requests to the Stripe payment action handlers
  4. The wpforms_is_admin_page function fails to block unauthorized access
  5. The SingleActionsHandler.php processes the refund or cancellation request

Since no code examples are available from verified sources, the vulnerability mechanism involves the payment handler accepting AJAX requests or form submissions for refund and cancellation actions. The handler checks if the request originates from an admin page context but does not verify whether the authenticated user possesses administrative capabilities such as manage_options or a custom WPForms capability. Technical details can be found in the WordPress WPForms Stripe Admin Payments Handler source code.

Detection Methods for CVE-2024-11205

Indicators of Compromise

  • Unexpected payment refunds or subscription cancellations in Stripe dashboard not initiated by administrators
  • WordPress audit logs showing payment-related actions by non-administrative users
  • Unusual activity from Subscriber-level accounts accessing payment management endpoints
  • Increased API calls to WPForms Stripe integration endpoints from low-privileged user sessions

Detection Strategies

  • Monitor WordPress user activity logs for Subscriber or Contributor accounts accessing admin payment functionality
  • Review Stripe webhook logs for refund or cancellation events that don't correlate with legitimate administrative actions
  • Implement Web Application Firewall (WAF) rules to detect and alert on suspicious requests to WPForms payment endpoints
  • Audit user role assignments to identify potentially compromised or malicious Subscriber accounts

Monitoring Recommendations

  • Enable comprehensive WordPress audit logging with plugins that track user actions and capability usage
  • Configure Stripe dashboard alerts for refund and subscription cancellation events
  • Set up real-time monitoring for unexpected HTTP requests to /wp-admin/ endpoints from non-admin user sessions
  • Review WPForms form submission and payment logs regularly for anomalous patterns

How to Mitigate CVE-2024-11205

Immediate Actions Required

  • Update WPForms to a version newer than 1.9.2.1 immediately
  • Audit recent payment activity in Stripe for unauthorized refunds or cancellations
  • Review WordPress user accounts and remove unnecessary Subscriber-level accounts
  • Temporarily disable the WPForms Stripe integration if immediate patching is not possible

Patch Information

The vulnerability has been addressed by the WPForms development team. The fix is documented in the WordPress WPForms Lite Changeset 3191229. Site administrators should update to the latest version of WPForms through the WordPress plugin repository. The patch adds proper capability checks to ensure only users with appropriate administrative permissions can access payment management functions.

Workarounds

  • Restrict user registration on WordPress sites using WPForms with payment functionality until patched
  • Use a security plugin to add additional capability checks on WPForms admin endpoints
  • Implement IP-based access restrictions for administrative functions as a defense-in-depth measure
  • Consider temporarily using an alternative payment form solution until the vulnerable plugin can be updated
bash
# Verify current WPForms version and update via WP-CLI
wp plugin list --name=wpforms --fields=name,version,update_version
wp plugin update wpforms --version=latest

# Alternatively for WPForms Lite
wp plugin list --name=wpforms-lite --fields=name,version,update_version
wp plugin update wpforms-lite

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeAuth Bypass
  • Vendor/TechWpforms
  • SeverityMEDIUM
  • CVSS Score6.5
  • EPSS Probability0.52%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-862
  • Technical References
  • WordPress WPForms Lite Function Check
  • WordPress WPForms Stripe Admin Payments Handler
  • WordPress WPForms Stripe Payments Action
  • Wordfence Vulnerability Report #66898509
  • Vendor Resources
  • WordPress WPForms Lite Changeset 3191229
  • Related CVEs
  • CVE-2026-32446: WPForms Auth Bypass Vulnerability
  • CVE-2026-25339: WPForms Data Disclosure Vulnerability
  • CVE-2020-36919: WPForms XSS Vulnerability via Slider Import
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English