CVE-2022-0215 — HIGH (8.8) — White Hats Nepal

Q: How severe is CVE-2022-0215?

CVE-2022-0215 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2022-0215?

Check the references section above for vendor advisories and patch information. Affected products include: Xootix Login\/Signup Popup, Xootix Side Cart Woocommerce, Xootix Waitlist Woocommerce.

Vulnerability Description

The Login/Signup Popup, Waitlist Woocommerce ( Back in stock notifier ), and Side Cart Woocommerce (Ajax) WordPress plugins by XootiX are vulnerable to Cross-Site Request Forgery via the save_settings function found in the ~/includes/xoo-framework/admin/class-xoo-admin-settings.php file which makes it possible for attackers to update arbitrary options on a site that can be used to create an administrative user account and grant full privileged access to a compromised site. This affects versions <= 2.2 in Login/Signup Popup, versions <= 2.5.1 in Waitlist Woocommerce ( Back in stock notifier ), and versions <= 2.0 in Side Cart Woocommerce (Ajax).

CVSS Score

8.8

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Affected Products

Vendor	Product	Versions
Xootix	Login\/Signup Popup	<= 2.2
Xootix	Side Cart Woocommerce	<= 2.0
Xootix	Waitlist Woocommerce	<= 2.5.1

Related Weaknesses (CWE)

CWE-352

References

https://plugins.trac.wordpress.org/browser/easy-login-woocommerce/tags/2.2/incluExploitThird Party Advisory
https://plugins.trac.wordpress.org/browser/side-cart-woocommerce/tags/2.1/includExploitThird Party Advisory
https://plugins.trac.wordpress.org/browser/waitlist-woocommerce/tags/2.5.1/incluExploitThird Party Advisory
https://wordfence.com/vulnerability-advisories/#CVE-2022-0215ExploitThird Party Advisory
https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-three-pExploitThird Party Advisory
https://plugins.trac.wordpress.org/browser/easy-login-woocommerce/tags/2.2/incluExploitThird Party Advisory
https://plugins.trac.wordpress.org/browser/side-cart-woocommerce/tags/2.1/includExploitThird Party Advisory
https://plugins.trac.wordpress.org/browser/waitlist-woocommerce/tags/2.5.1/incluExploitThird Party Advisory
https://wordfence.com/vulnerability-advisories/#CVE-2022-0215ExploitThird Party Advisory
https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-three-pExploitThird Party Advisory

FAQ

What is CVE-2022-0215?

CVE-2022-0215 is a vulnerability with a CVSS score of 8.8 (HIGH). The Login/Signup Popup, Waitlist Woocommerce ( Back in stock notifier ), and Side Cart Woocommerce (Ajax) WordPress plugins by XootiX are vulnerable to Cross-Site Request Forgery via the save_settings...

How severe is CVE-2022-0215?

CVE-2022-0215 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2022-0215?

Check the references section above for vendor advisories and patch information. Affected products include: Xootix Login\/Signup Popup, Xootix Side Cart Woocommerce, Xootix Waitlist Woocommerce.