WordPress plugins affected by critical vulnerability impacting 84,000 websites

Threat Advisories

WordPress plugins affected by critical vulnerability impacting 84,000 websites


For a detailed advisory, download the pdf file here.

WordPress powers over 43.0% of all the websites on the Internet. A Cross-Site Request Forgery vulnerability (CVE-2022-0215) was discovered in three plugins of WordPress. This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link.

The vulnerability (CVE-2022-0215) is made effective due to lack of validation when processing AJAX requests, effectively enabling an attacker to update the “users_can_register” (i.e., anyone can register) option on a site to true and set the “default_role” setting (i.e., the default role of users who register at the blog) to administrator, granting complete control.

The flaw impacts three plugins maintained by Xootix:

  • Login/Signup Popup (Over 20000 websites)
  • Side Cart WooCommerce (Over 4000 websites)
  • Waitlist WooCommerce (Over 60000 websites)

Hive Pro researcher strongly recommends that affected customers upgrade to a fixed version as soon as possible. 

Vulnerability Details


Patch Link