Researchers have discovered three WordPress plug-ins with the same vulnerability that allows an attacker to update arbitrary site options on a vulnerable site and completely take it over. Exploiting the flaw does require some action from the site administrator, however. On Nov. 5, 2021, the Wordfence Threat Intelligence team started a process to disclose a vulnerability researchers had found in “Login/Signup Popup,” a WordPress plug-in installed on more than 20,000 sites, Wordfence’s Chloe Chamberland wrote in a post published online Thursday. However, a few days later they discovered that the flaw was present in two other plug-ins by the same developer, who goes by the online name of XootiX. They are “Side Cart Woocommerce (Ajax),” which has been installed on more than 60,000 sites, and “Waitlist Woocommerce (Back in stock notifier),” which has been installed on more than 4,000. Login/Signup Popup is a “simple and lightweight” plug-in aimed at streamlining a site’s registration, login and password reset processes, according to its description online. Side Cart Woocommerce – designed to work with the Woocommerce plugin for creating an e-commerce store – allows a site’s users to access items they’ve placed into a shopping cart using from anywhere on the site. Waitlist Woocommerce – also to be used with Woocommerce – adds the functionality of tracking demand for out-of-stock items to an e-commerce site. As of now, all of the plug-ins have been updated and the flaw patched,…
https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png 0 0 govanguard https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2022-01-14 09:07:002022-01-14 09:07:00Three Plugins with Same Bug Put 84K WordPress Sites at Risk
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email email@example.com