Admin gap closed in three WordPress plugins
If you use the Woocommerce shop system in combination with the plugins Login/Signup Popup, Side Cart Woocommerce (Ajax) or Waitlist Woocommerce (Back in stock notifier) on your WordPress website, you should update the software for security reasons .
According to a report by Wordfence security researchers, the plug-ins are installed on 84,000 pages. All three plugins have a vulnerability (CVE-2022-0215 ”high“) attackable.
Admin account for attackers
The vulnerability is in the save-settings
-Function via wp_ajax
. Since it is not checked here who makes changes, attackers could make illegal settings on websites (CSFR attack). To do this, however, they have to get a logged-in admin to click on a link. If that works, an attacker could, among other things, create a new admin account and gain full control over a site.
The following versions should be protected against such attacks:
- Login/Signup Popup 2.3
- Sidecart WooCommerce (Ajax) 2.1
- Waitlist Woocommerce ( Back in stock notifier ) 2.5.2
(of)
To home page