1 min read

Critical Vulnerability in 3 WordPress Plugins Impacts 84,000 Websites

Vlad CONSTANTINESCU

January 17, 2022

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Critical Vulnerability in 3 WordPress Plugins Impacts 84,000 Websites

Security experts last week disclosed a critical WordPress plugin vulnerability affecting over 84,000 websites that threat actors could exploit in cyberattacks.

The researchers show that the vulnerability, tracked as CVE-2022-0215 and rated 8.8 on the CVSS scale, is a cross-site request forgery flaw (CSRF) and was discovered in three WordPress plugins maintained by XootiX:

  • Login/Signup Popup (installed on over 20,000 websites)
  • Side Cart Woocommerce (installed on over 4,000 websites)
  • Waitlist Woocommerce (installed on over 60,000 websites)

“This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link,” according to a report by WordPress security company Wordfence.

CSRF attacks, also known as session-riding or one-click attacks, occur when perpetrators trick authenticated users (often administrators) into submitting specially crafted web requests. Threat actors can compromise entire web applications if the target has administrator privileges.

To be more specific, the flaw relies on vulnerable web apps that don’t require validation while processing AJAX requests. This lets perpetrators set the “users_can_register” option to true and change the “default_role” parameter to administrator on vulnerable websites. Altering these options lets attackers effortlessly create administrator accounts with full privileges.

Reportedly, Wordfence sent XootiX the full disclosure on Nov. 5, 2021, and the developer addressed the vulnerability in Login/Signup Popup version 2.3, Waitlist Woocommerce 2.5.2, and Side Cart Woocommerce version 2.1.

Security researchers believe this CSRF vulnerability is not likely to be exploited because it requires interaction from an administrative account. However, the flaw should serve as a critical reminder that accessing links and attachments haphazardly could harm your website, and keeping plugins and themes up to date is paramount to website security.

tags


Author



Right now

Top posts

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

John Oliver Shows the Dark Side of Data Brokerage on Last Week Tonight

April 15, 2022

3 min read
Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

Bitdefender Labs Warns of Phishing Scams Targeting MetaMask Users

April 14, 2022

3 min read
Why and how to hide your IP address while traveling

Why and how to hide your IP address while traveling

April 13, 2022

2 min read
How Bitdefender Can Help Restore Your Privacy in the Digital Age

How Bitdefender Can Help Restore Your Privacy in the Digital Age

April 04, 2022

3 min read
How Strong is VPN Encryption?

How Strong is VPN Encryption?

February 28, 2022

3 min read
Top Three Ways Internet Users Unknowingly Help Cybercriminals

Top Three Ways Internet Users Unknowingly Help Cybercriminals

February 25, 2022

4 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Baby formula shortages in US fuel social media scams, BBB warns Baby formula shortages in US fuel social media scams, BBB warns
Alina BÎZGĂ

May 18, 2022

2 min read
Conti Ransomware Gang Threatens to Overthrow the New Government of Costa Rica Conti Ransomware Gang Threatens to Overthrow the New Government of Costa Rica
Vlad CONSTANTINESCU
1 min read
US Charges Venezuelan Cardiologist with Using, Selling Ransomware US Charges Venezuelan Cardiologist with Using, Selling Ransomware
Vlad CONSTANTINESCU
1 min read