WordPress sites at risk – More than 84000+ sites installed vulnerable plugins by the same author! 3 Plugins were found containing the vulnerability that could attacker to pretend as administrator! WordFence helps in finding the trails, by testing multiple plugins offered on WordPress Plugin Directory by the same author.
WF Threat handling Department reported on Nov 5, 2021, that they discovered a vulnerability in a plugin named Login/Signup Popup listed on WordPress core Free Plugin Directory. Amazingly this plugin is installed on more than 20,000 WordPress websites. While it was the first discolor in this trail, they were going to inspect other plugins offered by same author XootiX. The second Plugin named Side Cart Woocommerce (Ajax) has more than 60,000+ active installations on WordPress websites and the third Plugin named Waitlist Woocommerce ( Back in stock notifier ) with more than 4,000 active installed websites.
WordPress sites at risk
This discovered bug helps the attacker to update arbitrary site options on the victim’s website! The attacker could trick the site administrators into performing such blinds acts with URL clicking.
Description: Cross-Site Request Forgery to Arbitrary Options Update
Affected Plugins: Login/Signup Popup | Waitlist Woocommerce ( Back in stock notifier ) | Side Cart Woocommerce (Ajax)
Plugin Slugs: easy-login-woocommerce | waitlist-woocommerce | side-cart-woocommerce
Plugin Developer: XootiX
Affected Versions: <= 2.2 | <= 2.5.1 | <= 2.0
CVE ID: CVE-2022-0215
CVSS Score: 8.8 (High)
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Versions: 2.3 | 2.5.2 | 2.1
Talented WF Team initiate the escalation of this vulnerability with the concerned developers of these plugins. Login/Signup patched released on 17 December 2021 while WF Team contacted with XootiX developers on 5th of November.
The remaining 2 plugins are still unpatched and these versions are strongly requested to consider if any of these versions are installed on your website(s).
version 2.3 for “Login/Signup Popup”
version 2.5.2 for “Waitlist Woocommerce ( Back in stock notifier )”
and version 2.1 for “Side Cart Woocommerce (Ajax)”
POS and Targets
Importantly, these 3 plugins are subjected to offer services especially for those site owners who have installed WooCommerce, e-commerce helping addons and all of the plugins function background execution were powered by Ajax.
This bug is very basic and simple, all the plugins contain the “register the save_settings” function which is initiated with a wp_ajax task also this function was incomplete as it was missing nonce check that indicates there was no validation on the integrity of who was conducting the request!
public function save_settings(){ if( !current_user_can( $this->capability ) ) return; $formData = array(); $parseFormData = parse_str( $_POST['form'], $formData ); foreach ( $formData as $option_key => $option_data ) { $option_data = array_map( 'sanitize_text_field', stripslashes_deep( $option_data ) ); update_option( $option_key, $option_data ); } wp_send_json(array( 'error' => 0, 'notice' => 'Settings Saved', ));} |
If Vulnerability execute, ?
Once this bug is in action which is powered by AJAX action, the attacker could ask for a tricky click on the link or let your browser to browse a certain website, in the meantime the real Administrator was authenticated to the vulnerable installed website. So, the request by the attacker will be authenticated on the behalf of the administrator, which was triggered by the attacker and that scenario will help the attacker to update arbitrary options on a vulnerable website.
Additionally, after saving the arbitrary options, the attacker is now capable to update any option in the WordPress database by just initiating the simple request. He can also try to abuse the “user_can_register” option with the “default_role” option so that he can register on vulnerable site as an administrator and obviously after this point the attacker is now fully loaded with the role of Administrator of website, he can perform some black-hat SEO integration or backlinking or he can damage or abuse the website.
This made it possible for an attacker to craft a request that would trigger the AJAX action and execute the function. If the attacker could successfully trick a site’s administrator into performing an action like clicking on a link or browsing to a certain website, while the administrator was authenticated to the target site, then the request would be successfully sent and trigger the action which would allow the attacker to update arbitrary options on that website.
You can also read about: GoDaddy was Hacked 1.2 Million users affected
