CVE-2022-0215 – This CSRF vulnerability in XootiX WordPress plu... (How to Fix)

Q: How do I fix CVE-2022-0215?

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Update all affected XootiX plugins to latest versions. 4. Verify updates completed successfully.

Q: What is the severity of CVE-2022-0215?

CVE-2022-0215 has a CVSS score of 8.8 (HIGH). This CSRF vulnerability in XootiX WordPress plugins allows attackers to trick authenticated administrators into unknowingly executing malicious actions, including creating new admin accounts and taking full control of affected WordPress sites. It affects three popular WooCommerce plugins used by approximately 84,000 WordPress sites. Attackers can exploit this by getting an admin to click a malicious link while logged in.

📋 TL;DR

This CSRF vulnerability in XootiX WordPress plugins allows attackers to trick authenticated administrators into unknowingly executing malicious actions, including creating new admin accounts and taking full control of affected WordPress sites. It affects three popular WooCommerce plugins used by approximately 84,000 WordPress sites. Attackers can exploit this by getting an admin to click a malicious link while logged in.

💻 Affected Systems

Products:

Login/Signup Popup WordPress plugin
Waitlist Woocommerce (Back in stock notifier)
Side Cart Woocommerce (Ajax)

Versions: Login/Signup Popup <= 2.2, Waitlist Woocommerce <= 2.5.1, Side Cart Woocommerce <= 2.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All WordPress installations using vulnerable plugin versions are affected regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover with attacker creating administrative accounts, installing backdoors, stealing sensitive data, and defacing or destroying the website.

🟠

Likely Case

Attacker creates hidden admin account, maintains persistent access, and uses the compromised site for phishing, malware distribution, or further attacks.

🟢

If Mitigated

With proper CSRF protections and admin awareness, exploitation attempts fail or are detected before damage occurs.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires social engineering to trick authenticated admin users, but the technical complexity is minimal with public proof-of-concept available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Login/Signup Popup 2.3+, Waitlist Woocommerce 2.5.2+, Side Cart Woocommerce 2.1+

Vendor Advisory: https://wordpress.org/plugins/easy-login-woocommerce/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Update all affected XootiX plugins to latest versions. 4. Verify updates completed successfully.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

linux

Disable vulnerable plugins until patches can be applied

wp plugin deactivate easy-login-woocommerce
wp plugin deactivate side-cart-woocommerce
wp plugin deactivate waitlist-woocommerce

🧯 If You Can't Patch

Implement CSRF protection at web application firewall level
Restrict admin panel access to specific IP addresses only

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for XootiX plugin versions

Check Version:

wp plugin list --name='easy-login-woocommerce|side-cart-woocommerce|waitlist-woocommerce' --field=version

Verify Fix Applied:

Verify plugin versions show Login/Signup Popup >= 2.3, Waitlist Woocommerce >= 2.5.2, Side Cart Woocommerce >= 2.1

📡 Detection & Monitoring

Log Indicators:

Unexpected admin user creation
Plugin settings changes from unusual IPs
Multiple failed login attempts followed by successful admin creation

Network Indicators:

POST requests to /wp-admin/admin-ajax.php with action=xoo_admin_settings_save from unexpected sources

SIEM Query:

source="wordpress.log" AND ("action=xoo_admin_settings_save" OR "user_role=administrator" AND "user_registered")

📊 Metadata

CVE ID: CVE-2022-0215

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-352

Published: January 18, 2022

Last Updated: November 21, 2024

🔗 References

https://plugins.trac.wordpress.org/browser/easy-login-woocommerce/tags/2.2/includes/xoo-framework/admin/class-xoo-admin-settings.php#L122 Exploit,Third Party Advisory
https://plugins.trac.wordpress.org/browser/side-cart-woocommerce/tags/2.1/includes/xoo-framework/admin/class-xoo-admin-settings.php?rev=2538194#L128 Exploit,Third Party Advisory
https://plugins.trac.wordpress.org/browser/waitlist-woocommerce/tags/2.5.1/includes/xoo-framework/admin/class-xoo-admin-settings.php#L122 Exploit,Third Party Advisory
https://wordfence.com/vulnerability-advisories/#CVE-2022-0215 Exploit,Third Party Advisory
https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-three-plugins-with-the-same-vulnerability/ Exploit,Third Party Advisory
https://plugins.trac.wordpress.org/browser/easy-login-woocommerce/tags/2.2/includes/xoo-framework/admin/class-xoo-admin-settings.php#L122 Exploit,Third Party Advisory
https://plugins.trac.wordpress.org/browser/side-cart-woocommerce/tags/2.1/includes/xoo-framework/admin/class-xoo-admin-settings.php?rev=2538194#L128 Exploit,Third Party Advisory
https://plugins.trac.wordpress.org/browser/waitlist-woocommerce/tags/2.5.1/includes/xoo-framework/admin/class-xoo-admin-settings.php#L122 Exploit,Third Party Advisory
https://wordfence.com/vulnerability-advisories/#CVE-2022-0215 Exploit,Third Party Advisory
https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-three-plugins-with-the-same-vulnerability/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-0215, you might also want to check these: