Threat Level
HIGH
Components Affected
- Login/Signup popup (inline form + Woocommerce) - versions 2.2 and below
- Side cart Woocommerce (Ajax) - versions 2.0 and below
- Waitlist Woocommerce (Back in stock notifier) - versions 2.5.1 and below
Overview
This vulnerability makes it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site's administrator into performing an action, such as clicking on a link.
Description
Cross-site request forgery occurs when an authenticated end-user is tricked by an attacker into submitting a specially crafted web request. CSRF can compromise the entire web application if the victim account is an administrator account.
Impact
- Taking full control over authenticated end-user’s account.
- Taking control of the entire web application.
- Sensitive information exposure.
Solution/ Workarounds
Immediate update to the latest patched versions of each affected plugins;
- Version 2.3 for “Login/Signup Popup”.
- Version 2.5.2 for “Waitlist Woocommerce (Back in stock notifier)”.
- Version 2.1 for “Side Cart Woocommerce (Ajax)”.
(Versions at the time of this publication)
Reference
- https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-three-plugins-with-the-same-vulnerability/
- https://thehackernews.com/2022/01/high-severity-vulnerability-in-3.html
Disclaimer
The information provided herein is on an "as is" basis, without warranty of any kind.