Ref# AL2022_05 | Date: Jan 26th 2022

---

Description

According to cybersecurity experts, a significant number of websites assigned to the WordPress platform may be vulnerable to malicious users due to three key security flaws in its plugin. The severity of this vulnerability can lead to complete compromise of the system. 

Summary

The vulnerability is susceptible to cross-site request forgery (one-click) in the three (3) plugins which can see an authenticated user being tricked by an attacker into submitting a specially crafted web request which could lead to complete compromise of the web application if the user is logged in as the site administrator.

How it works

The cross-site request forgery (CSRF) bug, which has been assigned the number CVE-2022-0215 with a CVSS rating of 8.8 and affects three plugins maintained by Xootix can be seen as:  

• Login/Signup Popup
• Side Cart WooCommerce
• Waitlist WooCommerce

When an authenticated end-user is deceived into submitting a specially designed web request, it is known as cross-site request forgery, a one-click attack or session riding. “CSRF can compromise the entire web application if the victim has logged in with an administrative account,” according to a warning stated by OWASP.

The flaw comes from a lack of validation when processing AJAX requests, which allows the attacker to set the “users_can_register”, meaning that the option for anyone registered to the site is set to true and the “default_role” setting for the user registered to the blog is then set to administrator, basically giving them absolute control.

Remediation

To combat this vulnerability, users are advised to follow the steps below:

• Ensure the three plugins mentioned above are updated to their most recent version.
• Avoid clicking on suspicious links or attachments. A website”s code can be used to redirect you to another site and download malware to your device while you”re on your way to your intended destination. When you click on untrustworthy links or download questionable software, you put yourself at risk of being infected with malware.
• Ensure data/input validation is applied to inputs required from the users, since this validation method would prevent improper data from being entered into the web application.
• Install a web application firewall to monitor and filters data packets entering and leaving the web application. This establishes a collection of rules to protect your website from malicious threats, such as brute force assaults, DDoS attacks, cross-site scripting, SQL injection, and zero-day exploits.
• Ensure developers are trained with best practices regarding securing WordPress websites.
   

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: High-Severity Vulnerability in three WordPress Plugins Affecting Multiple Websites.pdf

References

• High severity vulnerability in three WordPress plugins affecting multiple websites (16th January 2022). Retrieved from thehackernews.
  https://thehackernews.com/2022/01/high-severity-vulnerability-in-3.html

 

• High severity vulnerability in three WordPress plugins affecting multiple websites (13th January 2022). Retrieved from Wordfence.
  https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-three-plugins-with-the-same-vulnerability/