84,000 WordPress Sites Affected by Three Plugins With The Same Vulnerability
On November 5, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Login/Signup Popup”, a WordPress plugin that is installed on over 20,000 sites. A few days later we discovered the same vulnerability present in two additional plugins developed by the same author: “Side Cart Woocommerce (Ajax)”, installed on over 60,000 sites, and “Waitlist Woocommerce ( Back in stock notifier )”, installed on over 4,000 sites. This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link.
All Wordfence users, including Wordfence Premium customers and free Wordfence users are protected against any attackers attempting to exploit this vulnerability. Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on November 5, 2021. Sites still using the free version of Wordfence received the same protection on December 5, 2021.
We sent the full disclosure details on November 5, 2021, after the developer confirmed the appropriate channel to handle communications. After several follow-ups a patched version of “Login/Signup Popup” was released on November 24, 2021, while patched versions of “Side Cart Woocommerce (Ajax)” and “Waitlist Woocommerce ( Back in stock notifier )” were released on December 17, 2021.
We strongly recommend ensuring that your site has been updated to the latest patched version of any of these plugins, which is version 2.3 for “Login/Signup Popup”, version 2.5.2 for “Waitlist Woocommerce ( Back in stock notifier )”, and version 2.1 for “Side Cart Woocommerce (Ajax)” at the time of this publication.
Affected Plugins: Login/Signup Popup | Waitlist Woocommerce ( Back in stock notifier ) | Side Cart Woocommerce (Ajax)
Plugin Slugs: easy-login-woocommerce | waitlist-woocommerce | side-cart-woocommerce
Plugin Developer: XootiX
Affected Versions: <= 2.2 | <= 2.5.1 | <= 2.0
CVE ID: CVE-2022-0215
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Versions: 2.3 | 2.5.2 | 2.1
All three of the affected plugins by XootiX are designed to provide enhanced features to WooCommerce sites. The Login/Signup Popup plugin was designed to add login and signup pop-ups to both standard sites and WooCommerce powered sites, while the Waitlist WooCommerce plugin was designed to add a product waitlist and notifier for out of stock items and Side Cart Woocommerce was designed to make shopping carts available from anywhere on a site all powered via AJAX.
The vulnerability is simple. All three plugins register the save_settings function which is initiated via a wp_ajax action. This function was missing a nonce check which meant that there was no validation on the integrity of who was conducting the request.
public function save_settings(){
if( !current_user_can( $this->capability ) ) return;
$formData = array();
$parseFormData = parse_str( $_POST['form'], $formData );
foreach ( $formData as $option_key => $option_data ) {
$option_data = array_map( 'sanitize_text_field', stripslashes_deep( $option_data ) );
update_option( $option_key, $option_data );
}
wp_send_json(array(
'error' => 0,
'notice' => 'Settings Saved',
));
}
This made it possible for an attacker to craft a request that would trigger the AJAX action and execute the function. If the attacker could successfully trick a site’s administrator into performing an action like clicking on a link or browsing to a certain website, while the administrator was authenticated to the target site, then the request would be successfully sent and trigger the action which would allow the attacker to update arbitrary options on that website.
Arbitrary Options Update vulnerabilities make it possible for attackers to update any option on the WordPress website. Attackers frequently abuse these to set the user_can_register option to true and the default_role option to administrator so that they can register on the vulnerable site as an administrator and completely take it over.
Though this Cross-Site Request Forgery (CSRF) vulnerability is less likely to be exploited due to the fact that it requires administrator interaction, it can have a significant impact to a successfully exploited site and, as such, it serves as an incredibly important reminder to remain aware when clicking on links or attachments and to ensure that you are regularly keeping your plugins and themes up to date.
Timeline
November 5, 2021 – Conclusion of the plugin analysis that led to the discovery of a CSRF to Arbitrary Option Update vulnerability in the Login/Signup Popup plugin. We develop and release a firewall rule to protect Wordfence users. Wordfence Premium users receive this rule immediately. We initiate contact with the developer and provide full disclosure on the same day.
November 10, 2021 – We follow-up with the developer to inform them that both “Side Cart Woocommerce (Ajax)” and “Waitlist Woocommerce ( Back in stock notifier )” plugins are also affected by the same vulnerability.
November 19, 2021 – We follow-up with the developer to check on the status of the patches.
November 24, 2021 – A patched version of “Login/Signup Popup” is released as version 2.3.
November 24, 2021 – December 13, 2021 – We attempt to follow up with the developer about patches for the remaining two plugins.
December 5, 2021 – The firewall rule becomes available to free Wordfence users.
December 17, 2021 – A patched version of “Waitlist Woocommerce ( Back in stock notifier )” is released as 2.5.2, and a patched version of “Side Cart Woocommerce (Ajax)” is released as version 2.1.
Conclusion
In today’s post, we detailed a flaw present in three plugins developed by the same developer that would make it possible for attackers to gain administrative access to sites when successfully exploited. This flaw has been fully patched in all three plugins.
We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available for each of these plugins, which is version 2.3 for “Login/Signup Popup”, version 2.5.2 for “Waitlist Woocommerce ( Back in stock notifier )”, and version 2.1 for “Side Cart Woocommerce (Ajax)” at the time of this publication.
All Wordfence users, including Wordfence Premium customers and free Wordfence users are protected against this vulnerability. Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on November 5, 2021. Sites still using the free version of Wordfence received the same protection on December 5, 2021.
If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to complete site takeover.
If your site has been compromised by an attack on this or any other plugin, our Professional Site Cleaning services can help you get back in business.
Comments
3:46 pm
Hi Guys,
Where's the podcast gone ;-) I really miss it, as it was pretty much the only security podcast I listen too that concentrates on Wordpress. I note though that Steve Gibson from SecurityNow mentions you quite a bit these days.
Cheers
Simon
7:49 am
Hi Simon,
Unfortunately, we've had to put the podcast on hold for the unforeseeable future, though that's not to say we won't bring it back again at some point in the future. Thanks for being a supporter! :)