WordPress Sites Affected by Three Plugins with The Same Vulnerability

  • CERT Admin
  • Fri Jan 21 2022
  • Alerts

Threat Level 

HIGH  

Components Affected  

  • Login/Signup popup (inline form + Woocommerce) - versions 2.2 and below 
  • Side cart Woocommerce (Ajax) - versions 2.0 and below 
  • Waitlist Woocommerce (Back in stock notifier) - versions 2.5.1 and below  

Overview 

This vulnerability makes it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site's administrator into performing an action, such as clicking on a link.  

Description 

Cross-site request forgery occurs when an authenticated end-user is tricked by an attacker into submitting a specially crafted web request. CSRF can compromise the entire web application if the victim account is an administrator account.  

Impact  

  • Taking full control over authenticated end-user’s account. 
  • Taking control of the entire web application. 
  • Sensitive information exposure.  

Solution/ Workarounds 

Immediate update to the latest patched versions of each affected plugins;   

  • Version 2.3 for “Login/Signup Popup”. 
  • Version 2.5.2 for “Waitlist Woocommerce (Back in stock notifier)”. 
  • Version 2.1 for “Side Cart Woocommerce (Ajax)”. 

(Versions at the time of this publication)  

Reference  

Disclaimer 

The information provided herein is on an "as is" basis, without warranty of any kind.  

Last updated: Fri Jan 21 2022