CVE-2022-0215 The Login/Signup Popup, Waitlist Woocommerce, and Side Cart Woocommerce are vulnerable to Cross-Site Request Forgery. This attack makes it possible to change the settings of an admin panel.
Furthermore, Cross-Site scripting in the ~/includes/xoo-framework/admin/settings.tpl file via the save_settings function allows attackers to inject arbitrary JavaScript into settings forms that can be used to steal login credentials, bypassing authentication. This affects versions = 2.2.1 in Login/Signup Popup, versions = 2.5 in Waitlist Woocommerce, and versions = 2.0 in Side Cart Woocommerce. XooX also has an issue related to the use of insecure direct object references in the ~/includes/xoo-framework/class-xoo-form-element-helper.php file. This allows remote attackers to conduct clickjacking attacks via a setting form. This affects versions = 2.2.1 in Login/Signup Popup, versions = 2.5.1 in Waitlist Woocommerce, and versions = 2.0 in Side Cart Woocommerce. XooX has also a Critical vulnerability in the save_settings function in the ~/includes/xoo-framework/class-xoo-settings-manager.php file that can be exploited by remote attackers to update arbitrary settings on a site and grant full privileged access to a compromised site. This affects versions = 2.2.1 in Login/Signup Popup, versions = 2.5 in Waitlist Woocommerce, and versions = 2.0 in Side Cart Woocommerce. XooX has also a
XooX Login/Signup Popup
XooX has a Critical vulnerability in the save_settings function in the ~/includes/xoo-framework/class-xoo-settings-manager.php file that can be exploited by remote attackers to update arbitrary settings on a site and grant full privileged access to a compromised site. This affects versions = 2.2.1 in Login/Signup Popup, versions = 2.5 in Waitlist Woocommerce, and versions = 2.0 in Side Cart Woocommerce.
Timeline
Published on: 01/18/2022 17:15:00 UTC
Last modified on: 01/24/2022 20:31:00 UTC
References
- https://wordfence.com/vulnerability-advisories/#CVE-2022-0215
- https://plugins.trac.wordpress.org/browser/waitlist-woocommerce/tags/2.5.1/includes/xoo-framework/admin/class-xoo-admin-settings.php#L122
- https://plugins.trac.wordpress.org/browser/side-cart-woocommerce/tags/2.1/includes/xoo-framework/admin/class-xoo-admin-settings.php?rev=2538194#L128
- https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-three-plugins-with-the-same-vulnerability/
- https://plugins.trac.wordpress.org/browser/easy-login-woocommerce/tags/2.2/includes/xoo-framework/admin/class-xoo-admin-settings.php#L122
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0215