“The chain of exploitation underscores the importance of securing every component of a WordPress site, especially third‑party themes and plugins, which can become critical points of entry for attackers.”
The development comes as Wordfence disclosed a high-severity flaw in the WPForms plugin (CVE-2024–11205, CVSS score: 8.5) that makes it possible for authenticated attackers, with Subscriber-level access and above, to refund Stripe payments and cancel subscriptions.
The vulnerability, which affects versions 1.8.4 up to, and including, 1.9.2.1, has been resolved in versions 1.9.2.2 or later. The plugin is installed on over 6 million WordPress sites.
Leave a reply