CVE-2022-0215: 
WordPress vulnerability analysis and mitigation

CVE-2022-0215 affects three WordPress plugins developed by XootiX: Login/Signup Popup (<=2.2), Waitlist Woocommerce (<=2.5.1), and Side Cart Woocommerce (<=2.0). The vulnerability was discovered in January 2022 and involves a Cross-Site Request Forgery (CSRF) vulnerability in the save_settings function within the class-xoo-admin-settings.php file (CVE Mitre, Hacker News).

The vulnerability stems from a lack of validation when processing AJAX requests in the save_settings function. The CSRF vulnerability has been assigned a CVSS score of 8.8 (high severity). The flaw exists in the ~/includes/xoo-framework/admin/class-xoo-admin-settings.php file and allows attackers to update arbitrary options on affected sites (WPScan).

The vulnerability affects over 84,000 WordPress websites collectively across the three plugins: Login/Signup Popup (20,000+ sites), Side Cart Woocommerce (4,000+ sites), and Waitlist Woocommerce (60,000+ sites). If exploited, attackers can update arbitrary site options, including the ability to create administrative user accounts and gain full privileged access to compromised sites (Hacker News).

The vulnerability has been patched in the following versions: Login/Signup Popup version 2.3, Side Cart Woocommerce version 2.1, and Waitlist Woocommerce version 2.5.2. Site administrators are strongly advised to update their plugins to these latest versions to protect against potential attacks (WPScan).