High-Severity Vulnerability in 3 WordPress plug-ins affected 84,000 websites

Ruchira Garai

January 17, 2022

Researchers have disclosed a security shortcoming affecting three different WordPress plugins that impact over 84,000 websites and could be abused by a malicious actor to take over vulnerable sites. Login/Signup Popup is installed on over 20,000 sites, while Side Cart Woocommerce and Waitlist Woocommerce have been installed on more than 4,000 and 60,000 sites, respectively. Tracked as CVE-2022-0215, the cross-site request forgery (CSRF) flaw is rated 8.8 on the CVSS scale and impacts three plugins maintained by Xootix—Login/Signup Popup (Inline Form + Woocommerce), Side Cart Woocommerce (Ajax), and Waitlist Woocommerce (Back in stock notifier). Following responsible disclosure by Wordfence researchers in November 2021, the issue has been addressed in Login/Signup Popup version 2.3, Side Cart Woocommerce version 2.1, and Waitlist Woocommerce version 2.5.2. The findings come a little over a month after attackers exploited weaknesses in four plugins and 15 Epsilon Framework themes to target 1.6 million WordPress sites as part of a large-scale attack campaign originating from 16,000 IP addresses.

Abridged fromThe Hacker News