Vulnerability Database

296,172

Total vulnerabilities in the database

CVE-2024-11205

The WPForms plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'wpforms_is_admin_page' function in versions starting from 1.8.4 up to, and including, 1.9.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to refund payments and cancel subscriptions.

  • Published: Dec 10, 2024
  • Updated: Aug 13, 2025
  • CVE: CVE-2024-11205
  • Severity: Medium
  • Exploit:

CVSS v3:

  • Severity: Medium
  • Score: 6.5
  • AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

CWEs:

Software From Fixed in
wpforms / wpforms 1.8.4 1.9.2.2