CVE-2022-0215

Name of the Vulnerable Software and Affected Versions Login/Signup Popup versions <= 2.2 Waitlist Woocommerce (Back in stock notifier) versions <= 2.5.1 Side Cart Woocommerce (Ajax) versions <= 2.0

Description The issue affects WordPress plugins, allowing attackers to update arbitrary options on a site, potentially creating an administrative user account and granting full access to a compromised site. This is possible due to a Cross-Site Request Forgery vulnerability via the save settings function. The vulnerability affects at least 84,000 websites. It allows attackers to update site parameters if they can trick an administrator into performing a certain action, such as clicking a link.

Recommendations For Login/Signup Popup version <= 2.2, update to a version higher than 2.2. For Waitlist Woocommerce (Back in stock notifier) version <= 2.5.1, update to a version higher than 2.5.1. For Side Cart Woocommerce (Ajax) version <= 2.0, update to a version higher than 2.0. As a temporary workaround, consider disabling the save settings function in the ~/includes/xoo-framework/admin/class-xoo-admin-settings.php file until a patch is available.