The WordPress “Abandoned Cart Lite for WooCommerce” plugin, which is used on over 30,000 websites, has been found to have a serious security flaw.
In an advisory, Defiant’s Wordfence stated, “This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, typically customers but can extend to other high-level users when the right conditions are met.”
The CVSS scoring system has given the flaw, CVE-2023-2986, a severity rating of 9.8 out of 10. It influences all adaptations of the module, including and preceding forms 5.14.2.
When customers are notified that they have abandoned their shopping carts on e-commerce websites without completing the purchase, insufficient encryption protections result in a case of authentication bypass. At its core, the issue is a case of authentication bypass.
More specifically, the plugin has hard-coded the encryption key, making it possible for malicious individuals to log in as a user with an abandoned cart.
“Notwithstanding, quite possibly by taking advantage of the confirmation sidestep weakness, an assailant can get sufficiently close to an authoritative client account, or another more elevated level client account assuming that they have been trying the unwanted truck usefulness,” security scientist István Márton said.
The plugin developer, Tyche Softwares, fixed the vulnerability with version 5.15.0 on June 6, 2023, following responsible disclosure on May 30, 2023. Abandoned Cart Lite for WooCommerce is currently available in version 5.15.2.
Wordfence recently disclosed a second authentication bypass flaw that affected the StylemixThemes plugin “Booking Calendar | Appointment Booking | BookIt” (CVE-2023-2834, CVSS score: 9.8) with more than 10,000 WordPress installations.
Márton explained, “This is due to insufficient user verification provided when booking an appointment through the plugin.” If they have access to the email, this makes it possible for unauthenticated attackers to log in as any existing user on the website, such as an administrator.
The defect, influencing renditions 2.3.7 and prior, has been tended to in form 2.3.8, which was delivered on June 13, 2023.
