Headline
Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites
A critical security flaw has been disclosed in the WordPress “Abandoned Cart Lite for WooCommerce” plugin that’s installed on more than 30,000 websites. “This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met,” Defiant’s
Website Security / WordPress
A critical security flaw has been disclosed in the WordPress “Abandoned Cart Lite for WooCommerce” plugin that’s installed on more than 30,000 websites.
“This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met,” Defiant’s Wordfence said in an advisory.
Tracked as CVE-2023-2986, the shortcoming has been rated 9.8 out of 10 for severity on the CVSS scoring system. It impacts all versions of the plugin, including and prior to versions 5.14.2.
The problem, at its core, is a case of authentication bypass that arises as a result of insufficient encryption protections that are applied when customers are notified when they have abandoned their shopping carts on e-commerce sites without completing the purchase.
Specifically, the encryption key is hard-coded in the plugin, thereby allowing malicious actors to login as a user with an abandoned cart.
“However, there is a chance that by exploiting the authentication bypass vulnerability, an attacker can gain access to an administrative user account, or another higher-level user account if they have been testing the abandoned cart functionality,” security researcher István Márton said.
Following responsible disclosure on May 30, 2023, the vulnerability was addressed by the plugin developer, Tyche Softwares, on June 6, 2023, with version 5.15.0. The current version of Abandoned Cart Lite for WooCommerce is 5.15.2.
The disclosure comes as Wordfence revealed another authentication bypass flaw impacting StylemixThemes’ “Booking Calendar | Appointment Booking | BookIt” plugin (CVE-2023-2834, CVSS score: 9.8) that has over 10,000 WordPress installs.
“This is due to insufficient verification on the user being supplied during booking an appointment through the plugin,” Márton explained. “This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.”
The flaw, affecting versions 2.3.7 and earlier, has been addressed in version 2.3.8, which was released on June 13, 2023.
Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.
Related news
The BookIt plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 2.3.7. This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
WordPress BookIt plugin versions 2.3.7 and below suffer from an authentication bypass vulnerability.
WordPress Abandoned Cart Lite for WooCommerce plugin versions 5.14.2 and below suffer from an authentication bypass vulnerability.
WordPress Abandoned Cart Lite for WooCommerce plugin versions 5.14.2 and below proof of concept authentication bypass exploit.
The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.14.2. This is due to insufficient encryption on the user being supplied during the abandoned cart link decode through the plugin. This allows unauthenticated attackers to log in as users who have abandoned the cart, which users are typically customers.