Furthermore, Cross-Site scripting in the ~/includes/xoo-framework/admin/settings.tpl file via the save_settings function allows attackers to inject arbitrary JavaScript into settings forms that can be used to steal login credentials, bypassing authentication. This affects versions = 2.2.1 in Login/Signup Popup, versions = 2.5 in Waitlist Woocommerce, and versions = 2.0 in Side Cart Woocommerce. XooX also has an issue related to the use of insecure direct object references in the ~/includes/xoo-framework/class-xoo-form-element-helper.php file. This allows remote attackers to conduct clickjacking attacks via a setting form. This affects versions = 2.2.1 in Login/Signup Popup, versions = 2.5.1 in Waitlist Woocommerce, and versions = 2.0 in Side Cart Woocommerce. XooX has also a Critical vulnerability in the save_settings function in the ~/includes/xoo-framework/class-xoo-settings-manager.php file that can be exploited by remote attackers to update arbitrary settings on a site and grant full privileged access to a compromised site. This affects versions = 2.2.1 in Login/Signup Popup, versions = 2.5 in Waitlist Woocommerce, and versions = 2.0 in Side Cart Woocommerce. XooX has also a

XooX Login/Signup Popup

XooX has a Critical vulnerability in the save_settings function in the ~/includes/xoo-framework/class-xoo-settings-manager.php file that can be exploited by remote attackers to update arbitrary settings on a site and grant full privileged access to a compromised site. This affects versions = 2.2.1 in Login/Signup Popup, versions = 2.5 in Waitlist Woocommerce, and versions = 2.0 in Side Cart Woocommerce.

Timeline

Published on: 01/18/2022 17:15:00 UTC
Last modified on: 01/24/2022 20:31:00 UTC

References