Security experts last week disclosed a critical WordPress plugin vulnerability affecting over 84,000 websites that threat actors could exploit in cyberattacks.
The researchers show that the vulnerability, tracked as CVE-2022-0215 and rated 8.8 on the CVSS scale, is a cross-site request forgery flaw (CSRF) and was discovered in three WordPress plugins maintained by XootiX:
- Login/Signup Popup (installed on over 20,000 websites)
- Side Cart Woocommerce (installed on over 4,000 websites)
- Waitlist Woocommerce (installed on over 60,000 websites)
“This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link,” according to a report by WordPress security company Wordfence.
CSRF attacks, also known as session-riding or one-click attacks, occur when perpetrators trick authenticated users (often administrators) into submitting specially crafted web requests. Threat actors can compromise entire web applications if the target has administrator privileges.
To be more specific, the flaw relies on vulnerable web apps that don’t require validation while processing AJAX requests. This lets perpetrators set the “users_can_register” option to true and change the “default_role” parameter to administrator on vulnerable websites. Altering these options lets attackers effortlessly create administrator accounts with full privileges.
Reportedly, Wordfence sent XootiX the full disclosure on Nov. 5, 2021, and the developer addressed the vulnerability in Login/Signup Popup version 2.3, Waitlist Woocommerce 2.5.2, and Side Cart Woocommerce version 2.1.
Security researchers believe this CSRF vulnerability is not likely to be exploited because it requires interaction from an administrative account. However, the flaw should serve as a critical reminder that accessing links and attachments haphazardly could harm your website, and keeping plugins and themes up to date is paramount to website security.