Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
Researchers discovered vulnerabilities that can allow for full site takeover in login and e-commerce add-ons for the popular website-building platform.
Researchers have discovered three WordPress plug-ins with the same vulnerability that allows an attacker to update arbitrary site options on a vulnerable site and completely take it over. Exploiting the flaw does require some action from the site administrator, however.
On Nov. 5, 2021, the Wordfence Threat Intelligence team started a process to disclose a vulnerability researchers had found in “Login/Signup Popup,” a WordPress plug-in installed on more than 20,000 sites, Wordfence’s Chloe Chamberland wrote in a post published online Thursday.
However, a few days later they discovered that the flaw was present in two other plug-ins by the same developer, who goes by the online name of XootiX. They are “Side Cart Woocommerce (Ajax),” which has been installed on more than 60,000 sites, and “Waitlist Woocommerce (Back in stock notifier),” which has been installed on more than 4,000.
Infosec Insiders Newsletter
Login/Signup Popup is a “simple and lightweight” plug-in aimed at streamlining a site’s registration, login and password reset processes, according to its description online. Side Cart Woocommerce – designed to work with the Woocommerce plugin for creating an e-commerce store – allows a site’s users to access items they’ve placed into a shopping cart using from anywhere on the site. Waitlist Woocommerce – also to be used with Woocommerce – adds the functionality of tracking demand for out-of-stock items to an e-commerce site.
As of now, all of the plug-ins have been updated and the flaw patched, according to the post. On Nov. 24, the developer released a patched version of Login/Signup Popup as version 2.3. Later, on Dec. 17, a patched version of Waitlist Woocommerce, version 2.5.2, was released; and a patched version of Side Cart Woocommerce, version 2.1, was released.
Still, the discovery of the bug’s multiple occurrences reflects an ongoing issue with WordPress plug-ins being riddled with flaws. Indeed, vulnerabilities in the plug-ins skyrocketed with triple-digit growth in 2021, according to RiskBased Security.
The vulnerability found by the Wordfence team is fairly straightforward, Chamberland wrote. All three plug-ins register the save_settings function, which is initiated via a wp_ajax action, they said.
In each of the plug-ins, “this function was missing a nonce check, which meant that there was no validation on the integrity of who was conducting the request,” according to the post.
What this sets up is a scenario in which an attacker can craft a request that would trigger the AJAX action and execute the function, Chamberland wrote. However, action from the site’s administrator – “like clicking on a link or browsing to a certain website while the administrator was authenticated to the target site” – is needed to fully exploit the flaw, she said.
In these cases, “the request would be successfully sent and trigger the action which would allow the attacker to update arbitrary options on that website,” she explained in the post.
Exploiting Arbitrary Options Update vulnerabilities in this way is something threat actors “frequently abuse,” allowing them to update any option on a WordPress website and to ultimately take it over, Chambers noted.
This latter privilege occurs if an attacker sets “the user_can_register option to true and the default_role option to administrator so that they can register on the vulnerable site as an administrator,” she explained.
Though the fact that the flaws found in the plug-ins require administrator action makes them “less likely to be exploited,” they can have “significant impact” if they are exploited, Chamberland said.
“As such, it serves as an incredibly important reminder to remain aware when clicking on links or attachments and to ensure that you are regularly keeping your plug-ins and themes up to date,” she advised.
Recommended actions for WordPress users who use the plug-ins are to verify that their site has been updated to the latest patched version available for each of them. That would be version 2.3 for “Login/Signup Popup”, version 2.5.2 for “Waitlist Woocommerce (Back in stock notifier )”, and version 2.1 for “Side Cart Woocommerce (Ajax),” according to the post.
All Wordfence users are protected against the vulnerability, according to the post. Wordfence Premium users received a firewall rule to protect against any exploits targeting them on Nov. 5, and sites still using the free version of Wordfence received the same protection on Dec. 5.
Password Reset: On-Demand Event: Fortify 2022 with a password security strategy built for today’s threats. This Threatpost Security Roundtable, built for infosec professionals, centers on enterprise credential management, the new password basics and mitigating post-credential breaches. Join Darren James, with Specops Software and Roger Grimes, defense evangelist at KnowBe4 and Threatpost host Becky Bracken. Register & Stream this FREE session today – sponsored by Specops Software.
Share this article:
Attackers could access and modify agent resources, telephone queues and other customer-service systems – and access personal information on companies’ customers.
As Moscow moves troops and threatens military action, about 70 Ukrainian government sites were hit. “Be afraid” was scrawled on the Foreign Ministry site.
Since their release on Patch Tuesday, the updates have been breaking Windows, causing spontaneous boot loops on Windows domain controller servers, breaking Hyper-V and making ReFS volume systems unavailable.


This site uses Akismet to reduce spam. Learn how your comment data is processed.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
4 weeks ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source