Security Vulnerability in 3 WordPress Plugins Put Over 84,000 Websites at Risk

Colin Thierry
Colin Thierry Writer
Colin Thierry Colin Thierry Writer

Researchers from WordPress security company Wordfence found a security vulnerability that affected 3 different WordPress plugins, which has impacted over 84,000 websites and could be abused by a malicious threat actor to take over vulnerabile sites.

“This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link,” Wordfence said in a Jan. 13 report.

“All Wordfence users, including Wordfence Premium customers and free Wordfence users are protected against this vulnerability. Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on Nov. 5, 2021. Sites still using the free version of Wordfence received the same protection on Dec. 5, 2021.”

The 3 plug-ins that have been impacted by the cross-site request forgery flaw include Login/Signup Popup, Side Cart WooCommerce, and Waitlist WooCommerce.

“If the victim is an administrative account, CSRF can compromise the entire web application,” the Open Web Application Security Project (OWASP) says in its documentation.

Login/Signup Popup is installed on over 20,000 sites, while Side Cart WooCommerce and Waitlist WooCommerce are installed on more than 4,000 and 60,000 sites, respectively.

Following responsible disclosure by Wordfence researchers in November, the issue has since been addressed in Login/Signup Popup version 2.3, Side Cart WooCommerce version 2.1, and Waitlist WooCommerce version 2.5.2.

“We strongly recommend ensuring that your site has been updated to the latest patched version of any of these plugins, which is version 2.3 for ‘Login/Signup Popup’, version 2.5.2 for ‘Waitlist Woocommerce ( Back in stock notifier )’, and version 2.1 for ‘Side Cart Woocommerce (Ajax)’ at the time of this publication,” Wordfence said in the release.

The findings come over a month after hackers exploited weaknesses in 4 WordPress plugins.

“Though this Cross-Site Request Forgery (CSRF) vulnerability is less likely to be exploited due to the fact that it requires administrator interaction, it can have a significant impact to a successfully exploited site and, as such, it serves as an incredibly important reminder to remain aware when clicking on links or attachments and to ensure that you are regularly keeping your plugins and themes up to date,” Wordfence’s Chloe Chamberland said.

About the Author

About the Author

Colin Thierry is a former cybersecurity researcher and journalist for SafetyDetectives who has written a wide variety of content for the web over the past 2 years. In his free time, he enjoys spending time outdoors, traveling, watching sports, and playing video games.