A serious security flaw has been revealed in the Abandoned Cart Lite for WooCommerce WordPress plugin installed on over 30,000 websites.
“This vulnerability allows attackers to gain access to the accounts of abandoned cart users. Users are typically customers, but other high-level users can be attacked if the right conditions are met.” may reach,” Defiant’s Wordfence said in its recommendation. .
This flaw is tracked as CVE-2023-2986 and has a severity rating of 9.8 out of 10 on the CVSS scoring system. This affects all versions of the plugin, including versions 5.14.2 and earlier.
At the heart of the issue is a case where authentication bypass occurs as a result of inadequate cryptographic protection applied when a customer is notified when they abandon their shopping cart on an e-commerce site without completing a purchase.
Specifically, cryptographic keys are hard-coded into the plugin, allowing a malicious attacker to log in as an abandoned cart user.
“However, if an attacker were testing abandoned cart functionality, they could exploit the authentication bypass vulnerability to gain access to the admin user account, or another higher-level user account.” said security researcher Istvan Marton.
Following responsible disclosure on May 30, 2023, this vulnerability was addressed in version 5.15.0 on June 6, 2023 by plugin developer Tyche Softwares. The current version of Abandoned Cart Lite for WooCommerce is 5.15.2.
This disclosure confirms that another authentication bypass flaw affecting the ‘Booking Calendar | Appointment Booking | This was done following what was revealed by
“This is due to insufficient user verification provided when booking through the plugin,” Merton explained. “This would allow an unauthenticated attacker with access to email to log in as an existing user on the site, such as an administrator.”
This flaw affected versions 2.3.7 and earlier and was fixed in version 2.3.8, released on June 13, 2023.
