Researchers from WordPress security company Wordfence discovered a high-severity vulnerability that affects three different WordPress plugins that impact over 84,000 websites. The vulnerability tracked as CVE-2022-0215 is a cross-site request forgery (CSRF) issue that received a CVSS score of 8.8.
A threat actor could exploit the vulnerability to take over vulnerable websites.
The flaw impacts three plugins maintained by Xootix:
“On November 5, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Login/Signup Popup”, a WordPress plugin that is installed on over 20,000 sites. A few days later we discovered the same vulnerability present in two additional plugins developed by the same author: “Side Cart Woocommerce (Ajax)”, installed on over 60,000 sites, and “Waitlist Woocommerce ( Back in stock notifier )”, installed on over 4,000 sites.” reads the advisory published by Wordfence. “This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link.”
The three plugins by XootiX are designed to provide enhanced features to WooCommerce sites. The Login/Signup Popup plugin allows to add login and signup pop-ups to standard sites and sites running the WooCommerce plugin, the Waitlist WooCommerce plugin that allows adding a product waitlist and notifier for out of stock items and Side Cart Woocommerce that was designed to make shopping carts available from anywhere on a site all powered via AJAX.
The impacted plugins register the save_settings function which is initiated via a wp_ajax action. The root cause of the flaw is the lack of validation on the integrity of who was sending the AJAX request.
An attacker can abuse the issue to update the “users_can_register” (i.e., anyone can register) option on a site to true and set the “default_role” setting (i.e., the default role of users who register at the blog) to administrator, so that they can register on the vulnerable site as an administrator and completely take it over.
“This made it possible for an attacker to craft a request that would trigger the AJAX action and execute the function. If the attacker could successfully trick a site’s administrator into performing an action like clicking on a link or browsing to a certain website, while the administrator was authenticated to the target site, then the request would be successfully sent and trigger the action which would allow the attacker to update arbitrary options on that website.” continues the analysis.
WordPress users have to check that the version running on their sites have been updated to the latest patched version available for these plugins, which is version 2.3 for “Login/Signup Popup”, version 2.5.2 for “Waitlist Woocommerce ( Back in stock notifier )”, and version 2.1 for “Side Cart Woocommerce (Ajax).”
Below is the timeline for this flaw:
November 5, 2021 – Conclusion of the plugin analysis that led to the discovery of a CSRF to Arbitrary Option Update vulnerability in the Login/Signup Popup plugin. We develop and release a firewall rule to protect Wordfence users. Wordfence Premium users receive this rule immediately. We initiate contact with the developer and provide full disclosure on the same day.
November 10, 2021 – We follow-up with the developer to inform them that both “Side Cart Woocommerce (Ajax)” and “Waitlist Woocommerce ( Back in stock notifier )” plugins are also affected by the same vulnerability.
November 19, 2021 – We follow-up with the developer to check on the status of the patches.
November 24, 2021 – A patched version of “Login/Signup Popup” is released as version 2.3.
November 24, 2021 – December 13, 2021 – We attempt to follow up with the developer about patches for the remaining two plugins.
December 5, 2021 – The firewall rule becomes available to free Wordfence users.
December 17, 2021 – A patched version of “Waitlist Woocommerce ( Back in stock notifier )” is released as 2.5.2, and a patched version of “Side Cart Woocommerce (Ajax)” is released as version 2.1.
(SecurityAffairs – hacking, plugins)