Researchers have discovered three WordPress plug-ins with the same vulnerability that allows an attacker to update arbitrary site options on a vulnerable site and completely take it over. Exploiting the flaw does require some action from the site administrator.
Researchers had found in “Login/Signup Popup,” a WordPress plug-in installed on more than 20,000 sites. Few days later they discovered that the flaw was present in two other plug-ins by the same developer, who goes by the online name of XootiX. They are “Side Cart Woocommerce (Ajax),” which has been installed on more than 60,000 sites, and “Waitlist Woocommerce” which has been installed on more than 4,000.
Login/Signup Popup is a “simple and lightweight” plug-in aimed at streamlining a site’s registration, login and password reset processes. Side Cart Woocommerce designed to work with the Woocommerce plugin for creating an e-commerce store allows a site’s users to access items they’ve placed into a shopping cart using from anywhere on the site. Waitlist Woocommerce also to be used with Woocommerce adds the functionality of tracking demand for out-of-stock items to an e-commerce site.
All of the plug-ins have been updated and the flaw patched. Still, the discovery of the bug’s multiple occurrences reflects an ongoing issue with WordPress plug-ins being riddled with flaws. Indeed, vulnerabilities in the plug-ins skyrocketed with triple-digit growth in 2021, according to RiskBased Security.
Mode of Operation
All three plug-ins register the save_settings function, which is initiated via a wp_ajax action. In each of the plug-ins, this function was missing a nonce check, which meant that there was no validation on the integrity of who was conducting the request
An attacker can craft a request that would trigger the AJAX action and execute the function. The action from the site’s administrator “like clicking on a link or browsing to a certain website while the administrator was authenticated to the target site” is needed to fully exploit the flaw. The request would be successfully sent and trigger the action which would allow the attacker to update arbitrary options on that website.
Risks and Mitigations
Recommended actions for WordPress users who use the plug-ins are to verify that their site has been updated to the latest patched version available for each of them. That would be version 2.3 for “Login/Signup Popup”, version 2.5.2 for “Waitlist Woocommerce (Back in stock notifier )”, and version 2.1 for “Side Cart Woocommerce (Ajax),” according to the post.
All Wordfence users are protected against the vulnerability. Wordfence Premium users received a firewall rule to protect against any exploits targeting them and sites still using the free version of Wordfence received the same protection few days later.