WordPress plugins affected by critical vulnerability impacting 84,000 websites

Threat Level – Amber | Vulnerability Report
Download PDF

For a detailed advisory, download the pdf file here.

WordPress powers over 43.0% of all the websites on the Internet. A Cross-Site Request Forgery vulnerability (CVE-2022-0215) was discovered in three plugins of WordPress. This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link.

The vulnerability (CVE-2022-0215) is made effective due to lack of validation when processing AJAX requests, effectively enabling an attacker to update the “users_can_register” (i.e., anyone can register) option on a site to true and set the “default_role” setting (i.e., the default role of users who register at the blog) to administrator, granting complete control.

The flaw impacts three plugins maintained by Xootix:

Login/Signup Popup (Over 20000 websites)Side Cart WooCommerce (Over 4000 websites)Waitlist WooCommerce (Over 60000 websites)

Hive Pro researcher strongly recommends that affected customers upgrade to a fixed version as soon as possible. 

Vulnerability Details


Patch Link





What’s new on HivePro

Get through updates and upcoming events, and more directly in your inbox