Recently I wrote an article talking about how 2021 was really bad for WordPress. Vulnerabilities in WordPress plugins rose by 142% in 2021 putting millions of websites at risk. It seems 2022 won’t be any different. Now a vulnerability found in three different WordPress plugins has put over 80000 WordPress websites vulnerable.
Wordfence Threat Intelligence team has recently posted an article about the vulnerability they found and reported to plugin developers. The same vulnerability has been found in three different plugins. However, it requires some action from the site administrator to exploit the vulnerability. The three vulnerable plugins are Login/Signup Popup, Side Cart Woocommerce (Ajax), and Waitlist Woocommerce ( Back in stock notifier ) by the same developer called Xootix. All these plugins have a total of 84000 active installs making all the WordPress websites using any of these plugins vulnerable.
The vulnerability exists because all these plugins use the save_settings function via a wp_ajax action without validating the integrity of who was conducting the request. So, an attacker can craft a link request to trigger the AJAX action and execute the function. If the site admin clicks on this crafted link, the link would successfully trigger the action on the website.
This vulnerability is called Cross-Site Request Forgery (CSRF). It is not easy to exploit the vulnerable plugins because it requires administrator interaction, but ut can have a significant impact if successfully exploited.
If you use any of these plugins but also use the Wordfence plugin, your website is protected against any attack trying to exploit this vulnerability. The good thing is that the protection covers both Wordfence Premium and free users.
The company reported these vulnerabilities to developers back on November 5, 2021. Their report was published after plugin developers patched the vulnerabilities. If you use any of these plugins, we recommend you update the plugin to the latest version.