These three WordPress plugins with the same vulnerability give the attacker to access your login and e-commerce add-ons by taking over the site completely.

The Wordfence Threat Intelligence team started a process to disclose a vulnerability researchers on Nov. 5, 2021, had found in “Login/Signup Popup,” a WordPress plug-in installed on more than 20,000 sites, Wordfence’s Chloe Chamberland wrote in a post published on January 13, 2022

But, a few days later they again discovered that the flaw was present in 2 other plugins by the same developer, who goes by the online name of XootiX. 

They are “Waitlist Woocommerce (Back in stock notifier),” which has been installed on more than 4,000, and

“Side Cart Woocommerce (Ajax),” which has been installed on more than 60,000 sites.

This flaw made it possible for attackers to update arbitrary site options on a vulnerable site, provided they could easily trick a website’s admin into performing an action, such as clicking on a link.

Wordfence has sent the full disclosure details on Nov 5, 2021, after the developer confirmed the appropriate channel to handle communications. After their several follow-ups, a patched version was released on Nov 24, 2021 for “Login/Signup Popup”, while patched versions of “Waitlist Woocommerce ( Back in stock notifier )” and “Side Cart Woocommerce (Ajax)” were released on Dec 17, 2021.

It is strongly recommended that your site to be updated to the latest patched version of any of these plugins, which is version 2.5.2 for “Waitlist Woocommerce ( Back in stock notifier )”, version 2.1 for “Side Cart Woocommerce (Ajax)”, and version 2.3 for “Login/Signup Popup” at the time of this publication.

Description: Cross-Site Request Forgery to Arbitrary Options Update

Affected Plugins: Login/Signup Popup | Waitlist Woocommerce ( Back in stock notifier ) | Side Cart Woocommerce (Ajax)

Plugin Slugs: easy-login-woocommerce | waitlist-woocommerce | side-cart-woocommerce

Plugin Developer: XootiX

Affected Versions: <= 2.2 | <= 2.5.1 | <= 2.0

CVE ID: CVE-2022-0215

CVSS Score: 8.8 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Researcher/s: Chloe Chamberland

Fully Patched Versions: 2.3 | 2.5.2 | 2.1

All 3 of the affected plugins by XootiX are designed to provide enhanced features to WooCommerce sites. The Login/Signup Popup plugin was designed to add login and signup pop-ups to both Woocommerce powered sites and Standard sites, while the Side Cart Woocommerce was designed to make shopping carts available from anywhere on a site all powered via AJAX, and Waitlist WooCommerce plugin was designed to add a product waitlist and notifier for out of stock items.

How Does This Attack Works?

The vulnerability is simple. All three plugins register the save_settings function which is initiated via a wp_ajax action. This function was missing a nonce check which meant that there was no validation on the integrity of who was conducting the request.

This made it possible for an attacker to craft a request that would trigger the AJAX action and execute the function. If the attacker could successfully trick a site’s admin into performing an action like clicking on a link or browsing to a certain website, while the administrator was authenticated to the target site, then the request would be successfully sent and trigger the action which would allow the attacker to update arbitrary options on that website.

Arbitrary Options Update vulnerabilities make it possible for attackers to update any option on the WordPress website. Attackers frequently abuse these to set the user_can_register option to true and the default_role option to admin so that they can register on the vulnerable site as an administrator and completely take it over.

New Thing To Be Reminded

Though this Cross-Site Request Forgery (CSRF) vulnerability is less likely to be exploited due to the fact that it requires administrator interaction, it can have a significant impact on a successfully exploited site and, as such, it serves as an incredibly important reminder to remain aware when clicking on links or attachments and to ensure that you are regularly keeping your plugins and themes up to date.

Wordfence Timeline

November 5, 2021 – Conclusion of the plugin analysis that led to the discovery of a CSRF to Arbitrary Option Update vulnerability in the Login/Signup Popup plugin. We develop and release a firewall rule to protect Wordfence users. Wordfence Premium users receive this rule immediately. We initiate contact with the developer and provide full disclosure on the same day.
November 10, 2021 – We follow-up with the developer to inform them that both “Side Cart Woocommerce (Ajax)” and “Waitlist Woocommerce ( Back in stock notifier )” plugins are also affected by the same vulnerability.
November 19, 2021 – We follow up with the developer to check on the status of the patches.
November 24, 2021 – A patched version of “Login/Signup Popup” is released as version 2.3.
November 24, 2021 – December 13, 2021 – We attempt to follow up with the developer about patches for the remaining two plugins.
December 5, 2021 – The firewall rule becomes available to free Wordfence users.
December 17, 2021 – A patched version of “Waitlist Woocommerce ( Back in stock notifier )” is released as 2.5.2, and a patched version of “Side Cart Woocommerce (Ajax)” is released as version 2.1.

Conclusion

The flaw present in three plugins which are developed by the same developer Xootix would make it possible for attackers to gain admin access to websites when successfully exploited.

By the way, this flaw has been fully patched in all three plugins.

So it is recommended that you verify your WordPress site to be updated to the latest patched version available for these three plugins which are version 2.1 for “Side Cart Woocommerce (Ajax)”, version 2.3 for “Login/Signup Popup”, and version 2.5.2 for “Waitlist Woocommerce ( Back in stock notifier )” at the time of this publication.

Share this security information with your friends or colleague so they can avoid being attacked by any of these security issues that can lead an attacker to completely take over their site.