Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites

Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites

A critical security flaw has been disclosed in the WordPress “Abandoned Cart Lite for WooCommerce” plugin that’s installed on more than 30,000 websites.

“This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met,” Defiant’s Wordfence said in an advisory.

Tracked as CVE-2023-2986, the shortcoming has been rated 9.8 out of 10 for severity on the CVSS scoring system. It impacts all versions of the plugin, including and prior to versions 5.14.2.

The problem, at its core, is a case of authentication bypass that arises as a result of insufficient encryption protections that are applied when customers are notified when they have abandoned their shopping carts on e-commerce sites without completing the purchase.

Following responsible disclosure on May 30, 2023, the vulnerability was addressed by the plugin developer, Tyche Softwares, on June 6, 2023, with version 5.15.0. The current version of Abandoned Cart Lite for WooCommerce is 5.15.2.

The disclosure comes as Wordfence revealed another authentication bypass flaw impacting StylemixThemes’ “Booking Calendar | Appointment Booking | BookIt” plugin (CVE-2023-2834, CVSS score: 9.8) that has over 10,000 WordPress installs.

“This is due to insufficient verification on the user being supplied during booking an appointment through the plugin,” Márton explained.

“This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.”