These WordPress plugins have high-risk vulnerabilities!
The following tutorial column of WordPress will introduce to you the situation of high-risk vulnerabilities found in three WordPress plug-ins. I hope it will be helpful to friends in need!
Researchers discovered high-risk vulnerabilities in three WordPress plugins
Recently, researchers from WordPress security company Wordfence discovered a serious vulnerability that can affect three WordPress plugins. A different WordPress plugin and has impacted over 84,000 websites. The execution code of this vulnerability is tracked as CVE-2022-0215, which is a cross-site request forgery (CSRF) attack. The Common Security Vulnerability Scoring System (CVSS) gave it a score of 8.8.
On November 5, 2021, the Wordfence company intelligence team discovered this vulnerability in the Login/Signup Popup plug-in for the first time and initiated the disclosure process. A few days later they discovered the same vulnerability in the Cart Woocommerce (Ajax) plugin and the Waitlist Woocommerce (Back in stock notifier) plugin. Through this vulnerability, an attacker could update any site options on a compromised website by tricking the site administrator into performing a single action.
An attacker will typically craft a request that triggers an AJAX action and performs that function. If an attacker is able to successfully trick a site administrator into performing an action such as clicking a link or browsing to a website, and the administrator is authenticated to the target site, the request will be sent successfully and the action will be triggered. Allows an attacker to update arbitrary options on the site.
An attacker can exploit this vulnerability to update the "users_can_register" (i.e. anyone can register) option on the website to OK and set the "default_role" (i.e. the default role for users registered on the blog) Set as an administrator, he can then register as an administrator on the compromised website and take over it completely.
Three plugins reported by the Wordfence team that impact Xootix maintenance:
-
Login/Signup Popup plugin (over 20,000 installs)
Side Cart Woocommerce (Ajax) plugin (over 4000 installs)
Waitlist Woocommerce (Back in stock notifier) plugin (over 60000 installs)
These three XootiX plugins are designed to provide enhanced functionality for WooCommerce websites. The Login/Signup Popup plugin allows adding login and signup popups to standard websites and websites running the WooCommerce plugin. Waitlist WooCommerce plugin allows adding product waitlists and out-of-stock item notifications. The Side Cart Woocommerce plugin makes the shopping bar available anywhere on the website with support via AJAX.
Regarding this vulnerability, the Wordfence team specifically reminds WordPress users to check whether the version running on their website has been updated to the latest patched version available for these plug-ins, namely Login/Signup Popup plug-in version 2.3, Waitlist Woocommerce plug-in 2.5 .2 version", and Side Cart Woocommerce plugin version 2.1.
Reference source:
https://securityaffairs.co/wordpress/126821/hacking/wordpress-plugins-flaws -2.html
The above is the detailed content of These WordPress plugins have high-risk vulnerabilities!. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1387
52
Recommended product registration plug-in for easy-to-use wordpress
Apr 20, 2025 am 08:15 AM
There is no perfect WordPress product registration plugin, the choice should be based on actual needs and website size. Recommended plug-ins include: MemberPress: powerful but high-priced, complex configuration Restrict Content Pro: Focus on content restrictions and member management, cost-effective Easy Digital Downloads: Sell digital products, and users register as additional functions
WordPress website is online but cannot be searched
Apr 20, 2025 am 09:00 AM
Reasons why WordPress websites cannot be found in search engines: 1. Indexing issues; 2. Content issues; 3. Website technical issues; 4. Link issues; 5. Other issues such as geographical restrictions, website name and social media presence.
How to change the head image of the wordpress theme
Apr 20, 2025 am 10:00 AM
A step-by-step guide to replacing a header image of WordPress: Log in to the WordPress dashboard and navigate to Appearance >Theme. Select the topic you want to edit and click Customize. Open the Theme Options panel and look for the Site Header or Header Image options. Click the Select Image button and upload a new head image. Crop the image and click Save and Crop. Click the Save and Publish button to update the changes.
How to close comments with wordpress
Apr 20, 2025 am 11:54 AM
How to turn off a comment in WordPress? Specific article or page: Uncheck Allow comments under Discussion in the editor. Whole website: Uncheck "Allow comments" in "Settings" -> "Discussion". Using plug-ins: Install plug-ins such as Disable Comments to disable comments. Edit the topic file: Remove the comment form by editing the comments.php file. Custom code: Use the add_filter() function to disable comments.
What to do if there is an error in wordpress
Apr 20, 2025 am 11:57 AM
WordPress Error Resolution Guide: 500 Internal Server Error: Disable the plug-in or check the server error log. 404 Page not found: Check permalink and make sure the page link is correct. White Screen of Death: Increase the server PHP memory limit. Database connection error: Check the database server status and WordPress configuration. Other tips: enable debug mode, check error logs, and seek support. Prevent errors: regularly update WordPress, install only necessary plugins, regularly back up your website, and optimize website performance.
How to copy wordpress code
Apr 20, 2025 pm 12:00 PM
How to copy WordPress code? Copy from the admin interface: Log in to the WordPress website, navigate to the destination, select the code and press Ctrl C (Windows)/Command C (Mac) to copy the code. Copy from a file: Connect to the server using SSH or FTP, navigate to the theme or plug-in file, select the code and press Ctrl C (Windows)/Command C (Mac) to copy the code.
How to display wordpress comments
Apr 20, 2025 pm 12:06 PM
Enable comments in WordPress website: 1. Log in to the admin panel, go to "Settings" - "Discussions", and check "Allow comments"; 2. Select a location to display comments; 3. Customize comments; 4. Manage comments, approve, reject or delete; 5. Use <?php comments_template(); ?> tags to display comments; 6. Enable nested comments; 7. Adjust comment shape; 8. Use plugins and verification codes to prevent spam comments; 9. Encourage users to use Gravatar avatar; 10. Create comments to refer to
WordPress website account login
Apr 20, 2025 am 09:06 AM
To log in to a WordPress website account: Visit the login page: Enter the website URL plus "/wp-login.php". Enter your username and password. Click "Login". Verification Two-step Verification (optional). After successfully logging in, you will see the website dashboard.
