Contact Form by WPForms Vulnerability – Unauthenticated Price Manipulation – CVE-2024-3649 | WordPress Plugin Vulnerability Report

Plugin Name: Contact Form by WPForms

Key Information:

  • Software Type: Plugin
  • Software Slug: wpforms-lite
  • Software Status: Active
  • Software Author: smub
  • Software Downloads: 201,516,943
  • Active Installs: 5,000,000
  • Last Updated: May 1, 2024
  • Patched Versions: 1.8.8.2
  • Affected Versions: <= 1.8.7.2

Vulnerability Details:

  • Name: Contact Form by WPForms – Drag & Drop Form Builder for WordPress <= 1.8.7.2 - Unauthenticated Price Manipulation
  • Type: External Control of Assumed-Immutable Web Parameter
  • CVE: CVE-2024-3649
  • CVSS Score: 5.3 (Medium)
  • Publicly Published: May 1, 2024
  • Researcher: Asaf Mozes
  • Description: The Contact Form by WPForms – Drag & Drop Form Builder for WordPress plugin for WordPress is vulnerable to price manipulation in versions up to, and including, 1.8.7.2. This is due to a lack of controls on several product parameters. This makes it possible for unauthenticated attackers to manipulate prices, product information, and quantities for purchases made via the Stripe payment integration.

Summary:

The Contact Form by WPForms plugin for WordPress has a vulnerability in versions up to and including 1.8.7.2 that allows unauthenticated attackers to manipulate prices, product information, and quantities for purchases made via the Stripe payment integration due to a lack of controls on several product parameters. This vulnerability has been patched in version 1.8.8.2.

Detailed Overview:

Researcher Asaf Mozes discovered an Unauthenticated Price Manipulation vulnerability in the Contact Form by WPForms plugin for WordPress. The vulnerability, identified as CVE-2024-3649, affects versions up to and including 1.8.7.2. It allows unauthenticated attackers to manipulate prices, product information, and quantities for purchases made via the Stripe payment integration. This vulnerability stems from a lack of controls on several product parameters, exposing users to potential financial risks.

Advice for Users:

  1. Immediate Action: Users are strongly encouraged to update to version 1.8.8.2 or later to ensure their WordPress installations are protected against this vulnerability.
  2. Check for Signs of Vulnerability: Review your Stripe transaction history for any suspicious or unauthorized purchases, and consider refunding affected customers if necessary.
  3. Alternate Plugins: While a patch is available, users might still consider plugins that offer similar functionality as a precaution.
  4. Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.

The prompt response from the plugin developers to patch this vulnerability underscores the importance of timely updates. Users are advised to ensure that they are running version 1.8.8.2 or later to secure their WordPress installations.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpforms-lite

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wpforms-lite/contact-form-by-wpforms-drag-drop-form-builder-for-wordpress-1872-unauthenticated-price-manipulation

Detailed Report:

As a website owner, ensuring the security and integrity of your online presence is a top priority. Neglecting to keep your WordPress plugins up to date can leave your site vulnerable to potential threats, compromising the safety of your data and your users' information. In this blog post, we'll discuss a recently discovered vulnerability in a popular WordPress plugin, Contact Form by WPForms, and emphasize the importance of taking immediate action to protect your website.

The Contact Form by WPForms plugin, a powerful drag & drop form builder for WordPress, has been found to have a serious vulnerability in versions up to and including 1.8.7.2. This vulnerability, identified as CVE-2024-3649 and named "Unauthenticated Price Manipulation," allows attackers to manipulate prices, product information, and quantities for purchases made through the Stripe payment integration without needing to authenticate themselves. With over 5 million active installations and more than 201 million downloads, this vulnerability could potentially impact a significant number of websites.

The risks associated with this vulnerability are considerable. If left unpatched, attackers could exploit this flaw to alter prices, modify product information, and change quantities of items purchased through the Stripe integration. This could lead to financial losses for both the website owner and their customers, as well as damage to the website's reputation and trustworthiness.

To protect your website and your users, it is crucial to update the Contact Form by WPForms plugin to version 1.8.8.2 or later immediately. This patched version addresses the Unauthenticated Price Manipulation vulnerability, ensuring that your site is no longer at risk from this particular threat.

It's worth noting that this is not the first time the Contact Form by WPForms plugin has faced security issues. Since September 2018, there have been six previous vulnerabilities discovered in this plugin. This underscores the importance of staying vigilant and keeping your plugins up to date to minimize the risk of falling victim to such vulnerabilities.

We understand that managing website security can be daunting, especially for small business owners who may not have the time or technical expertise to stay on top of these issues. That's why we recommend taking the following steps to ensure your website's safety:

  1. Update the Contact Form by WPForms plugin to version 1.8.8.2 or later immediately.
  2. Review your Stripe transaction history for any suspicious or unauthorized purchases, and consider refunding affected customers if necessary.
  3. Consider using alternative form builder plugins that have a proven track record of security and reliability.
  4. Regularly monitor your website for any signs of unusual activity or unauthorized changes.
  5. Stay informed about the latest security threats and vulnerabilities affecting WordPress plugins, and take prompt action to update or replace affected plugins.

If you're concerned about the security of your WordPress site or need assistance ensuring that your plugins are up to date, don't hesitate to reach out to a professional web development and security team. They can provide the expertise and support you need to keep your website safe and secure.

In conclusion, the discovery of the Unauthenticated Price Manipulation vulnerability in the Contact Form by WPForms plugin serves as a stark reminder of the importance of staying on top of security vulnerabilities. As a small business owner, your website is a crucial asset, and protecting it should be a top priority. By taking prompt action to update your plugins, regularly monitoring your site for potential threats, and seeking professional assistance when needed, you can ensure that your online presence remains secure and thriving.

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

Contact Form by WPForms Vulnerability – Unauthenticated Price Manipulation – CVE-2024-3649 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment