Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cve[email protected]CVE-2022-0215
HistoryJan 18, 2022 - 5:15 p.m.

CVE-2022-0215

2022-01-1817:15:10
CWE-352
[email protected]
web.nvd.nist.gov
35
xootix
wordpress
plugins
csrf
vulnerability
security
nvd

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.2%

JSON

The Login/Signup Popup, Waitlist Woocommerce ( Back in stock notifier ), and Side Cart Woocommerce (Ajax) WordPress plugins by XootiX are vulnerable to Cross-Site Request Forgery via the save_settings function found in the ~/includes/xoo-framework/admin/class-xoo-admin-settings.php file which makes it possible for attackers to update arbitrary options on a site that can be used to create an administrative user account and grant full privileged access to a compromised site. This affects versions <= 2.2 in Login/Signup Popup, versions <= 2.5.1 in Waitlist Woocommerce ( Back in stock notifier ), and versions <= 2.0 in Side Cart Woocommerce (Ajax).

Affected configurations

Vulners
NVD
Node
xootixlogin\/signup_popupRange2.22.2
OR
xootixwaitlist_woocommerceRange2.5.12.5.1
OR
xootixside_cart_woocommerceRange2.02.0
VendorProductVersionCPE
xootixlogin\/signup_popup*cpe:2.3:a:xootix:login\/signup_popup:*:*:*:*:*:*:*:*
xootixwaitlist_woocommerce*cpe:2.3:a:xootix:waitlist_woocommerce:*:*:*:*:*:*:*:*
xootixside_cart_woocommerce*cpe:2.3:a:xootix:side_cart_woocommerce:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "Login/Signup Popup",
    "vendor": "XootiX",
    "versions": [
      {
        "lessThanOrEqual": "2.2",
        "status": "affected",
        "version": "2.2",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Waitlist Woocommerce ( Back in stock notifier )",
    "vendor": "XootiX",
    "versions": [
      {
        "lessThanOrEqual": "2.5.1",
        "status": "affected",
        "version": "2.5.1",
        "versionType": "custom"
      }
    ]
  },
  {
    "product": "Side Cart Woocommerce (Ajax)",
    "vendor": "XootiX",
    "versions": [
      {
        "lessThanOrEqual": "2.0",
        "status": "affected",
        "version": "2.0",
        "versionType": "custom"
      }
    ]
  }
]

Related

hivepro 1
patchstack 3
thn 1
wordfence 1
wpexploit 1
cvelist 1
nvd 1
wpvulndb 1
prion 1
hivepro
hivepro
WordPress plugins affected by critical vulnerability impacting 84,000 websites
2022-01-17 15:52:52
patchstack
patchstack
WordPress Side Cart Woocommerce (Ajax) plugin <= 2.0 - Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary Options Update
2022-01-13 00:00:00
WordPress Waitlist Woocommerce ( Back in stock notifier ) plugin <= 2.5.1 - Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary Options Update
2021-12-17 00:00:00
WordPress Login/Signup Popup plugin <= 2.2 - Cross-Site Request Forgery (CSRF) vulnerability leading to Arbitrary Options Update
2022-01-13 00:00:00
thn
thn
High-Severity Vulnerability in 3 WordPress Plugins Affected 84,000 Websites
2022-01-17 05:18:00
wordfence
wordfence
84,000 WordPress Sites Affected by Three Plugins With The Same Vulnerability
2022-01-13 14:54:00
wpexploit
wpexploit
XootiX Plugins - Various Versions CSRF to Arbitrary Options Update
2022-01-13 00:00:00
cvelist
cvelist
CVE-2022-0215 XootiX Plugins <= Various Versions Cross-Site Request Forgery to Arbitrary Options Update
2022-01-18 16:52:32
nvd
nvd
CVE-2022-0215
2022-01-18 17:15:10
wpvulndb
wpvulndb
XootiX Plugins - Various Versions CSRF to Arbitrary Options Update
2022-01-13 00:00:00
prion
prion
Cross site request forgery (csrf)
2022-01-18 17:15:00

6.8 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:M/Au:N/C:P/I:P/A:P

8.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

8.4 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.2%

JSON
Related for CVE-2022-0215
hivepro1patchstack3thn1wordfence1wpexploit1cvelist1nvd1wpvulndb1prion1