Researchers have uncovered a critical vulnerability plaguing three different WordPress plugins. These plugins can affect more than 84,000 websites and may be exploited by threat actors to take over vulnerable websites.
“This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into acting, such as clicking on a link,” WordPress security company Wordfence said in a report published last week.
The cross-site request forgery, labelled CVE-2022-0215, scores high 8.8 on the CVSS scale and affects three plugins that are unkept by Xootix—
- Login/Signup Popup (Inline Form + Woocommerce),
- Side Cart Woocommerce (Ajax), and
- Waitlist Woocommerce (Back in stock notifier)
Cross-site request forgery, also called one-click attack or session riding, happens when an attacker tricks an authenticated end-user into submitting a specially crafted web request. “If the victim is an administrative account, CSRF can compromise the entire web application,” OWASP notes in its documentation.
This critical vulnerability has its roots in bad verification when processing AJAX requests, allowing an attacker to alter the “users_can_register” (i.e., anyone can register) option on a site to true and set the “default_role” setting (i.e., the default role of users who register at the blog) to administrator, granting complete control.
Login/Signup Popup is installed on over 20,000 sites, while Side Cart Woocommerce and Waitlist Woocommerce have been installed on more than 4,000 and 60,000 sites, respectively.
“Though this Cross-Site Request Forgery (CSRF) vulnerability is less likely to be exploited due to the fact that it requires administrator interaction, it can have a significant impact to a successfully exploited site and, as such, it serves as an incredibly important reminder to remain aware when clicking on links or attachments and to ensure that you are regularly keeping your plugins and themes up to date,” Wordfence’s Chloe Chamberland said.