WordPress is considered one of the most popular Content Management Frameworks the web has ever seen.
It is said that in 2021, WordPress was powering 39.5% of all websites on the internet, or up from powering 35% of sites in 2020. That number is huge, and is going to grow the more the web grows. But unfortunately for WordPress, it's just like any other product out there, that it can have flaws.
And this time, researchers have disclosed a security shortcoming affecting three different WordPress plugins that affect more than 84,000 websites.
Abusing the plugins' weaknesses, hackers could gain control of an entire website.
"This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site's administrator into performing an action, such as clicking on a link," said WordPress security company Wordfence in a report.
The vulnerability that is tracked as CVE-2022-0215, is rated 8.8 on the CVSS scale.
It impacts three plugins maintained by Xootix.
They include the 'Login/Signup Popup' plugin that has been installed on more than 20,000 sites, the 'Side Cart For Woocommerce' plugin which has been installed on more than 60,000 sites, and the 'Waitlist For Woocommerce' which has been installed on more than 4,000.
In total, about 84,000 WordPress websites are affected by this flaw.
Essentially, the flaw is a cross-site request forgery (CSRF) flaw.
Cross-site request forgery, or known as one-click attack or session riding, happens when an authenticated end-user is tricked by an attacker into submitting a specially crafted web request.
In this case, if the victim has an administrative account on a WordPress website with either of the three plugins installed, the attack can compromise the entire web application the person controls.
The flaw happens to reside in the lack of validation when processing AJAX requests.
All of the three plugins in question register the save_settings function, which is initiated via a wp_ajax action, the findings said.
Apparently, “this function was missing a nonce check, which meant that there was no validation on the integrity of who was conducting the request,” according to the post.
This effectively enables attackers to update the users_can_register option of a WordPress website to true, and set the default_role setting to administrator.
This way, attackers who managed to attack a WordPress website with either of the three plugins installed, can grant themselves complete control of the website.
The attack can be successfully made when attackers can convince an administrator of an affected WordPress website to do things, "like clicking on a link or browsing to a certain website while the administrator was authenticated to the target site."
In these cases, "the request would be successfully sent and trigger the action which would allow the attacker to update arbitrary options on that website," the post explained.
"Though this Cross-Site Request Forgery (CSRF) vulnerability is less likely to be exploited due to the fact that it requires administrator interaction, it can have a significant impact to a successfully exploited site and, as such, it serves as an incredibly important reminder to remain aware when clicking on links or attachments and to ensure that you are regularly keeping your plugins and themes up to date," said Wordfence's Chloe Chamberland.
Following responsible disclosure by Wordfence researchers in November 2021, Xootix addressed the issue in all of the three plugins.
On November 24, the developer released a patched version of Login/Signup Popup as version 2.3. Later, on December 17, a patched version of Waitlist Woocommerce, version 2.5.2, was released; and a patched version of Side Cart Woocommerce, version 2.1, was released.
These updates should eliminate the vulnerability.
As of now, all of the plug-ins have been updated and the flaw patched, according to the post.
The findings came a month after attackers exploited weaknesses in four plugins and 15 Epsilon Framework themes, effectively targeting some 1.6 million WordPress websites as part of a large-scale attack campaign originating from 16,000 IP addresses.