CVE-2022-0215 The Login/Signup Popup, Waitlist Woocommerce, and Side Cart Woocommerce are vulnerable to Cross-Site Request Forgery. This attack makes it possible to change the settings of an admin panel.

CVE-2022-0215 The Login/Signup Popup, Waitlist Woocommerce, and Side Cart Woocommerce are vulnerable to Cross-Site Request Forgery. This attack makes it possible to change the settings of an admin panel.

Furthermore, Cross-Site scripting in the ~/includes/xoo-framework/admin/settings.tpl file via the save_settings function allows attackers to inject arbitrary JavaScript into settings forms that can be used to steal login credentials, bypassing authentication. This affects versions = 2.2.1 in Login/Signup Popup, versions = 2.5 in Waitlist Woocommerce, and versions = 2.0 in Side Cart Woocommerce. XooX also has an issue related to the use of insecure direct object references in the ~/includes/xoo-framework/class-xoo-form-element-helper.php file. This allows remote attackers to conduct clickjacking attacks via a setting form. This affects versions = 2.2.1 in Login/Signup Popup, versions = 2.5.1 in Waitlist Woocommerce, and versions = 2.0 in Side Cart Woocommerce. XooX has also a Critical vulnerability in the save_settings function in the ~/includes/xoo-framework/class-xoo-settings-manager.php file that can be exploited by remote attackers to update arbitrary settings on a site and grant full privileged access to a compromised site. This affects versions = 2.2.1 in Login/Signup Popup, versions = 2.5 in Waitlist Woocommerce, and versions = 2.0 in Side Cart Woocommerce. XooX has also a

XooX Login/Signup Popup

XooX has a Critical vulnerability in the save_settings function in the ~/includes/xoo-framework/class-xoo-settings-manager.php file that can be exploited by remote attackers to update arbitrary settings on a site and grant full privileged access to a compromised site. This affects versions = 2.2.1 in Login/Signup Popup, versions = 2.5 in Waitlist Woocommerce, and versions = 2.0 in Side Cart Woocommerce.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe