Refine your search
4 vulnerabilities found for Waitlist Woocommerce ( Back in stock notifier ) by XootiX
CVE-2024-43134 (GCVE-0-2024-43134)
Vulnerability from cvelistv5
Published
2024-11-01 14:17
Modified
2026-04-28 16:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in xootix Waitlist Woocommerce ( Back in stock notifier ) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Waitlist Woocommerce ( Back in stock notifier ): from n/a through 2.6.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xootix | Waitlist Woocommerce ( Back in stock notifier ) |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43134",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T17:53:55.914893Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T17:54:14.366Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "waitlist-woocommerce",
"product": "Waitlist Woocommerce ( Back in stock notifier )",
"vendor": "xootix",
"versions": [
{
"changes": [
{
"at": "2.6.1",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.6",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Abdi Pranata (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in xootix Waitlist Woocommerce ( Back in stock notifier ) allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Waitlist Woocommerce ( Back in stock notifier ): from n/a through 2.6.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in xootix Waitlist Woocommerce ( Back in stock notifier ) allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Waitlist Woocommerce ( Back in stock notifier ): from n/a through 2.6."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-28T16:10:08.898Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/waitlist-woocommerce/wordpress-waitlist-woocommerce-plugin-2-6-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 2.6.1 or a higher version."
}
],
"value": "Update to 2.6.1 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Waitlist Woocommerce plugin \u003c= 2.6 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-43134",
"datePublished": "2024-11-01T14:17:47.834Z",
"dateReserved": "2024-08-07T09:19:02.857Z",
"dateUpdated": "2026-04-28T16:10:08.898Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8724 (GCVE-0-2024-8724)
Vulnerability from cvelistv5
Published
2024-09-14 03:19
Modified
2026-04-08 17:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The Waitlist Woocommerce ( Back in stock notifier ) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| xootix | Waitlist Woocommerce ( Back in stock notifier ) |
Version: 0 ≤ 2.7.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8724",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-15T19:56:25.403367Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-15T19:56:48.766Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Waitlist Woocommerce ( Back in stock notifier )",
"vendor": "xootix",
"versions": [
{
"lessThanOrEqual": "2.7.5",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "vgo0"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Waitlist Woocommerce ( Back in stock notifier ) plugin for WordPress is vulnerable to Reflected Cross-Site Scripting due to the use of add_query_arg without appropriate escaping on the URL in all versions up to, and including, 2.7.5. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:20:10.937Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c298c87e-cf3c-4b72-bb0e-a01ca2dfe52f?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/waitlist-woocommerce/trunk/admin/templates/xoo-wl-import-form.php#L8"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3151186%40waitlist-woocommerce\u0026new=3151186%40waitlist-woocommerce\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-13T14:49:36.000Z",
"value": "Disclosed"
}
],
"title": "Waitlist Woocommerce ( Back in stock notifier ) \u003c= 2.7.5 - Reflected Cross-Site Scripting"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-8724",
"datePublished": "2024-09-14T03:19:28.619Z",
"dateReserved": "2024-09-11T19:41:02.995Z",
"dateUpdated": "2026-04-08T17:20:10.937Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-5324 (GCVE-0-2024-5324)
Vulnerability from cvelistv5
Published
2024-06-06 02:02
Modified
2026-04-08 16:32
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Multiple plugins for WordPress utilizing the XootiX Framework are vulnerable to unauthorized modification of data due to a missing capability check on the 'import_settings' function in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator.
References
| URL | Tags | ||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| xootix | Waitlist Woocommerce ( Back in stock notifier ) |
Version: 0 ≤ 2.6 |
|||||||||||||||||
|
|||||||||||||||||||
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:xootix:login\\/signup_popup:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "login\\/signup_popup",
"vendor": "xootix",
"versions": [
{
"lessThanOrEqual": "2.7.2",
"status": "affected",
"version": "2.7.1",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5324",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T18:13:46.920950Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T15:49:40.152Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:11:12.430Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/005a27c6-b9eb-466c-b0c3-ce52c25bb321?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/easy-login-woocommerce/trunk/includes/xoo-framework/admin/class-xoo-admin-settings.php#L83"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3093994/"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Waitlist Woocommerce ( Back in stock notifier )",
"vendor": "xootix",
"versions": [
{
"lessThanOrEqual": "2.6",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "OTP Login \u0026 Register Woocommerce",
"vendor": "xootix",
"versions": [
{
"lessThanOrEqual": "2.6.1",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Side Cart Woocommerce | Woocommerce Cart",
"vendor": "xootix",
"versions": [
{
"status": "affected",
"version": "2.5"
}
]
},
{
"defaultStatus": "unaffected",
"product": "Login \u0026 Register Customizer \u2013 Popup | Slider | Inline | WooCommerce",
"vendor": "xootix",
"versions": [
{
"lessThanOrEqual": "2.7.2",
"status": "affected",
"version": "2.7.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "AmrAwad"
}
],
"descriptions": [
{
"lang": "en",
"value": "Multiple plugins for WordPress utilizing the XootiX Framework are vulnerable to unauthorized modification of data due to a missing capability check on the \u0027import_settings\u0027 function in various versions. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary options on affected sites. This can be used to enable new user registration and set the default role for new users to Administrator."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:32:18.330Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/005a27c6-b9eb-466c-b0c3-ce52c25bb321?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/easy-login-woocommerce/trunk/includes/xoo-framework/admin/class-xoo-admin-settings.php#L83"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3093994/"
},
{
"url": "https://plugins.trac.wordpress.org/browser/side-cart-woocommerce/trunk/includes/xoo-framework/admin/class-xoo-admin-settings.php#L83"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3111541/"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3115392/mobile-login-woocommerce/trunk?contextall=1\u0026old=3084918\u0026old_path=%2Fmobile-login-woocommerce%2Ftrunk"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3117332/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-05T13:11:37.000Z",
"value": "Disclosed"
}
],
"title": "XootiX Framework \u003c= Various Plugin Versions - Missing Authorization to Arbitrary Options Update"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-5324",
"datePublished": "2024-06-06T02:02:48.411Z",
"dateReserved": "2024-05-24T16:18:24.858Z",
"dateUpdated": "2026-04-08T16:32:18.330Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-0215 (GCVE-0-2022-0215)
Vulnerability from cvelistv5
Published
2022-01-18 16:52
Modified
2025-02-13 20:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
The Login/Signup Popup, Waitlist Woocommerce ( Back in stock notifier ), and Side Cart Woocommerce (Ajax) WordPress plugins by XootiX are vulnerable to Cross-Site Request Forgery via the save_settings function found in the ~/includes/xoo-framework/admin/class-xoo-admin-settings.php file which makes it possible for attackers to update arbitrary options on a site that can be used to create an administrative user account and grant full privileged access to a compromised site. This affects versions <= 2.2 in Login/Signup Popup, versions <= 2.5.1 in Waitlist Woocommerce ( Back in stock notifier ), and versions <= 2.0 in Side Cart Woocommerce (Ajax).
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| XootiX | Login/Signup Popup |
Version: 2.2 < |
||||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T23:18:42.789Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-three-plugins-with-the-same-vulnerability/"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://wordfence.com/vulnerability-advisories/#CVE-2022-0215"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/easy-login-woocommerce/tags/2.2/includes/xoo-framework/admin/class-xoo-admin-settings.php#L122"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/waitlist-woocommerce/tags/2.5.1/includes/xoo-framework/admin/class-xoo-admin-settings.php#L122"
},
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/side-cart-woocommerce/tags/2.1/includes/xoo-framework/admin/class-xoo-admin-settings.php?rev=2538194#L128"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2022-0215",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-13T20:41:27.213869Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-13T20:41:32.669Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Login/Signup Popup",
"vendor": "XootiX",
"versions": [
{
"lessThanOrEqual": "2.2",
"status": "affected",
"version": "2.2",
"versionType": "custom"
}
]
},
{
"product": "Waitlist Woocommerce ( Back in stock notifier )",
"vendor": "XootiX",
"versions": [
{
"lessThanOrEqual": "2.5.1",
"status": "affected",
"version": "2.5.1",
"versionType": "custom"
}
]
},
{
"product": "Side Cart Woocommerce (Ajax)",
"vendor": "XootiX",
"versions": [
{
"lessThanOrEqual": "2.0",
"status": "affected",
"version": "2.0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Chloe Chamberland, Wordfence"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Login/Signup Popup, Waitlist Woocommerce ( Back in stock notifier ), and Side Cart Woocommerce (Ajax) WordPress plugins by XootiX are vulnerable to Cross-Site Request Forgery via the save_settings function found in the ~/includes/xoo-framework/admin/class-xoo-admin-settings.php file which makes it possible for attackers to update arbitrary options on a site that can be used to create an administrative user account and grant full privileged access to a compromised site. This affects versions \u003c= 2.2 in Login/Signup Popup, versions \u003c= 2.5.1 in Waitlist Woocommerce ( Back in stock notifier ), and versions \u003c= 2.0 in Side Cart Woocommerce (Ajax)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2022-01-18T16:52:32.000Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-three-plugins-with-the-same-vulnerability/"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://wordfence.com/vulnerability-advisories/#CVE-2022-0215"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://plugins.trac.wordpress.org/browser/easy-login-woocommerce/tags/2.2/includes/xoo-framework/admin/class-xoo-admin-settings.php#L122"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://plugins.trac.wordpress.org/browser/waitlist-woocommerce/tags/2.5.1/includes/xoo-framework/admin/class-xoo-admin-settings.php#L122"
},
{
"tags": [
"x_refsource_MISC"
],
"url": "https://plugins.trac.wordpress.org/browser/side-cart-woocommerce/tags/2.1/includes/xoo-framework/admin/class-xoo-admin-settings.php?rev=2538194#L128"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to the latest versions available for each plugin."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "XootiX Plugins \u003c= Various Versions Cross-Site Request Forgery to Arbitrary Options Update",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "Wordfence",
"ASSIGNER": "security@wordfence.com",
"ID": "CVE-2022-0215",
"STATE": "PUBLIC",
"TITLE": "XootiX Plugins \u003c= Various Versions Cross-Site Request Forgery to Arbitrary Options Update"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Login/Signup Popup",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "2.2",
"version_value": "2.2"
}
]
}
},
{
"product_name": "Waitlist Woocommerce ( Back in stock notifier )",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "2.5.1",
"version_value": "2.5.1"
}
]
}
},
{
"product_name": "Side Cart Woocommerce (Ajax)",
"version": {
"version_data": [
{
"version_affected": "\u003c=",
"version_name": "2.0",
"version_value": "2.0"
}
]
}
}
]
},
"vendor_name": "XootiX"
}
]
}
},
"credit": [
{
"lang": "eng",
"value": "Chloe Chamberland, Wordfence"
}
],
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The Login/Signup Popup, Waitlist Woocommerce ( Back in stock notifier ), and Side Cart Woocommerce (Ajax) WordPress plugins by XootiX are vulnerable to Cross-Site Request Forgery via the save_settings function found in the ~/includes/xoo-framework/admin/class-xoo-admin-settings.php file which makes it possible for attackers to update arbitrary options on a site that can be used to create an administrative user account and grant full privileged access to a compromised site. This affects versions \u003c= 2.2 in Login/Signup Popup, versions \u003c= 2.5.1 in Waitlist Woocommerce ( Back in stock notifier ), and versions \u003c= 2.0 in Side Cart Woocommerce (Ajax)."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-352 Cross-Site Request Forgery (CSRF)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-three-plugins-with-the-same-vulnerability/",
"refsource": "MISC",
"url": "https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-three-plugins-with-the-same-vulnerability/"
},
{
"name": "https://wordfence.com/vulnerability-advisories/#CVE-2022-0215",
"refsource": "MISC",
"url": "https://wordfence.com/vulnerability-advisories/#CVE-2022-0215"
},
{
"name": "https://plugins.trac.wordpress.org/browser/easy-login-woocommerce/tags/2.2/includes/xoo-framework/admin/class-xoo-admin-settings.php#L122",
"refsource": "MISC",
"url": "https://plugins.trac.wordpress.org/browser/easy-login-woocommerce/tags/2.2/includes/xoo-framework/admin/class-xoo-admin-settings.php#L122"
},
{
"name": "https://plugins.trac.wordpress.org/browser/waitlist-woocommerce/tags/2.5.1/includes/xoo-framework/admin/class-xoo-admin-settings.php#L122",
"refsource": "MISC",
"url": "https://plugins.trac.wordpress.org/browser/waitlist-woocommerce/tags/2.5.1/includes/xoo-framework/admin/class-xoo-admin-settings.php#L122"
},
{
"name": "https://plugins.trac.wordpress.org/browser/side-cart-woocommerce/tags/2.1/includes/xoo-framework/admin/class-xoo-admin-settings.php?rev=2538194#L128",
"refsource": "MISC",
"url": "https://plugins.trac.wordpress.org/browser/side-cart-woocommerce/tags/2.1/includes/xoo-framework/admin/class-xoo-admin-settings.php?rev=2538194#L128"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to the latest versions available for each plugin."
}
],
"source": {
"discovery": "UNKNOWN"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2022-0215",
"datePublished": "2022-01-18T16:52:32.000Z",
"dateReserved": "2022-01-13T00:00:00.000Z",
"dateUpdated": "2025-02-13T20:41:32.669Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}