Researchers from WordPress security company Wordfence discovered a high-severity vulnerability that affects three different WordPress plugins that impact over 84,000 websites. The vulnerability tracked as CVE-2022-0215 is a cross-site request forgery (CSRF) issue that received a CVSS score of 8.8.

A threat actor could exploit the vulnerability to take over vulnerable websites.

The flaw impacts three plugins maintained by Xootix:

“On November 5, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Login/Signup Popup”, a WordPress plugin that is installed on over 20,000 sites. A few days later we discovered the same vulnerability present in two additional plugins developed by the same author: “Side Cart Woocommerce (Ajax)”, installed on over 60,000 sites, and “Waitlist Woocommerce ( Back in stock notifier )”, installed on over 4,000 sites.” reads the advisory published by Wordfence. “This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link.”

WordPress – Security Tips