ANALYSIS · ca8d1f41· FINISHED 2026-06-13 · PATCHDIFF

wpforms-lite1.9.2.1 → 1.9.2.2✓ COMPLETED

Files5

Vulnerable2

True positives0

CVE matched1

1 CVE article ready PatchLeaks generated full security writeups for the matched CVEs · one per CVE, with affected files linked

CVE-2024-11205

FILTERS 0

SEARCH

STATUS

JUDGE

CVE MATCH

EXTENSION

CWE

OPTIONS

Hide “No vulnerability” Hide unjudged

SCOPE

All 5 CVE 1 Vuln 2

SORT

1 files · page 1/1

src/Integrations/Stripe/Admin/Payments/SingleActionsHandler.php

AI: 1 vulnerabilities

CWE-276: Incorrect Default Permissions CVE-2024-11205

#%!d(float64=002)

1–1 of 1

⌖

Select a file from the list to inspect its diff and AI analysis.

↑ ↓ to navigate

CVES 1

CVE-2024-11205

Security writeup for CVE-2024-11205

✓ 1 FILE

## The Exploit

**An authenticated Subscriber can refund payments and cancel subscriptions by sending an AJAX request with a valid nonce, because the handler performs no capability check before processing the action.**

```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: target.wordpress.local
Content-Type: application/x-www-form-urlencoded
Cookie: wordpress_logged_in=subscriber_session_token

action=wpforms_stripe_payment_action&nonce=<valid_wpforms-admin_nonce>&payment_id=12345&payment_action=refund
```

The server responds with `{"success":true}` and the payment is refunded. The subscriber's account level never changes; they remain authenticated only as a Subscriber. The Stripe refund is processed server-side, and depending on the subscription action requested, recurring charges can be cancelled without administrative access.

## What the Patch Did

**Before:**
```php
if ( empty( $_POST['payment_id'] ) ) {
    wp_send_json_error( [ 'message' => esc_html__( 'Missing payment ID.', 'wpforms-lite' ) ] );
}

$this->check_payment_collection_type();
check_ajax_referer( 'wpforms-admin', 'nonce' );
```

**After:**
```php
if ( empty( $_POST['payment_id'] ) ) {
    wp_send_json_error( [ 'message' => esc_html__( 'Missing payment ID.', 'wpforms-lite' ) ] );
}

if ( ! wpforms_current_user_can( wpforms_get_capability_manage_options() ) ) {
    wp_send_json_error( [ 'message' => esc_html__( 'You are not allowed to perform this action.', 'wpforms-lite' ) ] );
}

$this->check_payment_collection_type();
check_ajax_referer( 'wpforms-admin', 'nonce' );
```

The patch adds an explicit capability check using `wpforms_current_user_can( wpforms_get_capability_manage_options() )` before any payment action is executed. This WordPress-style authorization control mirrors the standard `current_user_can()` pattern and ensures only users with administrative privileges can reach the payment refund and subscription cancellation logic. The check is placed before nonce verification, establishing the principle that authorization precedes authentication validation.

## Root Cause

**CWE-276: Incorrect Default Permissions.** The AJAX handler in `SingleActionsHandler.php` accepts the `payment_id` and `payment_action` parameters from `$_POST` without verifying that the requesting user holds admin-level capabilities. The nonce check (`check_ajax_referer( 'wpforms-admin', 'nonce' )`) ensures the request originated from a legitimate WordPress session and is CSRF-protected, but a nonce is issued to all authenticated users. The trust boundary between subscriber and administrator is never checked; once the nonce validates, the handler assumes the request is authorized to modify payment records and execute refunds. This is a textbook authorization bypass: authentication (nonce) passes, but authorization (role/capability) is never evaluated.

## Why It Works

The load-bearing line is:
```php
if ( ! wpforms_current_user_can( wpforms_get_capability_manage_options() ) ) {
```

Removing this line alone restores the vulnerability; the bug is exploitable without it. The `wp_send_json_error()` that follows is the enforcement mechanism—it terminates execution before the refund logic runs. The engineers added `wpforms_get_capability_manage_options()` to retrieve the correct capability name (likely mapped to WordPress' `manage_options` or a custom WPForms capability), ensuring the check targets the intended privilege level, not a lower one. The placement *before* `check_ajax_referer()` reflects defense-in-depth: deny unauthorized actors first, *then* validate that authorized actors provided a valid token. If the order were reversed, a subscriber's forged CSRF token would be checked and rejected before the code ever realized the user lacked permission—a logic error that could confuse audit logs.

## Hardening Checklist

- **Audit all AJAX handlers for missing capability checks.** Search your codebase for `check_ajax_referer()` calls and verify each is paired with a preceding `current_user_can()` check scoped to the correct capability (usually `manage_options` or a custom capability for payment/billing operations). Do not rely on nonce validation alone as a substitute for role checks.

- **Use explicit capability checks before state-changing operations.** Any AJAX endpoint that modifies data—refunds, cancellations, subscription updates—must call `current_user_can()` with a specific capability before the operation begins. Pair this with input validation using `sanitize_text_field()` or `intval()` on the `payment_id` parameter to prevent secondary issues.

- **Establish a baseline capability for payment actions.** Define a single custom or standard capability (e.g., `manage_options`, `manage_woocommerce_payments`) that all payment-related handlers require, then document and enforce this in code review. Use a consistent wrapper function like `wpforms_current_user_can()` to reduce copy-paste errors.

- **Test authorization boundaries in integration tests.** Write tests that send requests as Subscriber, Editor, and Administrator roles, asserting that only the appropriate role succeeds. This catches regressions when helpers like `wpforms_current_user_can()` are accidentally omitted or misconfigured.

- **Order security checks as: Authorization → Authentication → Input Validation.** Verify role/capability first, then validate nonce/token, then sanitize data. This order minimizes the attack surface and makes the intent of the code unmistakable to reviewers.

## References

- https://nvd.nist.gov/vuln/detail/CVE-2024-11205

CVE CVE-2024-11205

PRODUCT wpforms-lite

AFFECTED ≤ 1.9.2.1

FIXED IN 1.9.2.2

STATUS Generated

Security writeup · CVE-2024-11205

Source files · 1

src/Integrations/Stripe/Admin/Payments/SingleActionsHandler.php Linked

↗ NVD