Researchers have discovered a security flaw in three separate WordPress plugins that affect over 84,000 websites and might be exploited by a hostile actor to take control of them.
“This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link,” WordPress security company Wordfence stated in a report released last week.
- Login/Signup Popup (Inline Form + Woocommerce),
- Side Cart Woocommerce (Ajax), and
- Waitlist Woocommerce (Back in stock notifier)
When an authorized end-user is deceived into making a specially constructed web request, cross-site request forgery, also known as a one-click attack or session riding, happens. “If the victim is an administrative account, CSRF can compromise the entire web application,” OWASP makes this point in its documentation.
The flaw stems from a lack of validation when processing AJAX requests, allowing an attacker to update the “users_can_register” (i.e., anyone can register) option on a site to true and the “default_role” setting (i.e., the default role of users who register at the blog) to administrator, effectively giving them complete control. Login/Signup Popup has over 20,000 installations, while Side Cart Woocommerce and Waitlist Woocommerce have over 4,000 and 60,000 installations, respectively.
The problem has been fixed in Login/Signup Popup version 2.3, Side Cart Woocommerce version 2.1, and Waitlist Woocommerce 2.5.2, after responsible disclosure by Wordfence researchers in November 2021. The discoveries came just over a month after hackers used flaws in four plugins and 15 Epsilon Framework themes to attack 1.6 million WordPress sites as part of a large-scale attack effort that spanned 16,000 IP addresses.