Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites
A critical security flaw has been exposed in the WordPress plugin “Abandoned Cart Lite for WooCommerce”. installed on more than 30,000 websites.
“This vulnerability allowed an attacker to gain access to the accounts of users who have abandoned their carts, who are normally customers but could extend to other high-level users when the right conditions are met,” said Defiant’s Wordfence said in an advisory.
Traced as CVE-2023-2986, the deficiency was rated 9.8 out of 10 for severity on the CVSS scoring system. This affects all versions of the plugin, including and prior to version 5.14.2.
The problem, at its core, is an authentication bypass case that arises as a result of inadequate encryption protection being applied when customers are notified when they leave their shopping cart on an e-commerce site without completing a purchase.
Specifically, the encryption key is encoded in the plugin, thereby allowing bad actors to log in as the user with the abandoned basket.
“However, it is possible that by exploiting an authentication bypass vulnerability, attackers could gain access to administrative user accounts, or other high-level user accounts if they have tested abandoned basket functionality,” said security researcher István Márton.
Following the responsible disclosure on May 30, 2023, the vulnerability was addressed by the plugin developer, Tyche Softwares, on June 6, 2023, with version 5.15.0. The current version of Abandoned Cart Lite for WooCommerce is 5.15.2.
The disclosure came when Wordfence disclosed another authentication bypass flaw affecting StylemixThemes’ “Booking Calendar | Appointment Booking | BookIt” plugin (CVE-2023-2834, CVSS score: 9.8) that had exceeded 10,000 WordPress installs.
“This is due to insufficient verification on the user provided during the appointment booking through the plugin,” Márton explained. “This allows an unauthenticated attacker to log in as an existing user on the site, such as an administrator, if they have access to email.”
The flaw, which affected version 2.3.7 and earlier, was addressed in version 2.3.8, which was released on June 13, 2023.
