WordPress plugins affected by critical vulnerability impacting 84,000 websites

Threat Advisories

WordPress plugins affected by critical vulnerability impacting 84,000 websites

January 17, 2022

THREAT LEVEL: Amber.

For a detailed advisory, download the pdf file here.

WordPress powers over 43.0% of all the websites on the Internet. A Cross-Site Request Forgery vulnerability (CVE-2022-0215) was discovered in three plugins of WordPress. This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link.

The vulnerability (CVE-2022-0215) is made effective due to lack of validation when processing AJAX requests, effectively enabling an attacker to update the “users_can_register” (i.e., anyone can register) option on a site to true and set the “default_role” setting (i.e., the default role of users who register at the blog) to administrator, granting complete control.

The flaw impacts three plugins maintained by Xootix:

  • Login/Signup Popup (Over 20000 websites)
  • Side Cart WooCommerce (Over 4000 websites)
  • Waitlist WooCommerce (Over 60000 websites)

Hive Pro researcher strongly recommends that affected customers upgrade to a fixed version as soon as possible. 

Vulnerability Details

 

Patch Link

https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-three-plugins-with-the-same-vulnerability/

References

https://thehackernews.com/2022/01/high-severity-vulnerability-in-3.html

https://securityaffairs.co/wordpress/126821/hacking/wordpress-plugins-flaws-2.html?utm_source=rss&utm_medium=rss&utm_campaign=wordpress-plugins-flaws-2

Recent Posts

Join Our Newsletter 14,000+ subscribers and growing! Get top cybersecurity news delivered directly to your inbox.