Critical Security Flaw Detected in WordPress Plugin for WooCommerce, Posing Risk to 30K Websites

Heena Goyal
. June 23, 2023
440 Views
Shares

Critical Security Flaw in WooCommerce Plugin Endangers 30K Websites

The WordPress “Abandoned Cart Lite for WooCommerce” plugin, which is installed on over 30,000 websites, has been found with a severe security problem.

This vulnerability allows an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met, according to an advisory from Defiant’s Wordfence.

The vulnerability, identified as CVE-2023-2986, has a CVSS severity rating of 9.8 out of 10. Every version of the plugin has been affected by it, including versions 5.14.2 and earlier.

The issue is an instance of authentication bypass that results from inadequate encryption safeguards used when clients are alerted after they have abandoned their shopping carts on e-commerce websites without making the transaction.

The encryption key is specifically hard-coded in the plugin, making it possible for fraudulent individuals to log in as users with abandoned carts.

According to security researcher István Márton, “there is a chance that by exploiting the authentication bypass vulnerability, an attacker can gain access to an administrative user account, or another higher-level user account if they have been testing the abandoned cart functionality”.

The vulnerability was fixed by the plugin’s creator, Tyche Softwares, on June 6, 2023, with version 5.15.0 after being responsibly disclosed on May 30, 2023. Abandoned Cart Lite for WooCommerce is currently at version 5.15.2.

With over 10,000 WordPress installations, StylemixThemes’ “Booking Calendar | Appointment Booking | BookIt” plugin (CVE-2023-2834, CVSS score: 9.8) has been exposed as having yet another authentication bypass problem by Wordfence.

Márton stated, “This is because the user’s information was not sufficiently verified while making an appointment using the plugin.” If they have access to the email, this enables unauthenticated attackers to log in as any current user on the website, such as an administrator.

With the help of version 2.3.8, published on June 13, 2023, the problem can be fixed that affected versions 2.3.7 and earlier, further stated.

Facebook Tweet LinkedIn Pin

Heena Goyal

author

As a seasoned content writer with over 8 years of professional experience, Heena has honed the art of crafting compelling, SEO-friendly, and engaging content. With a passion for storytelling, she seamlessly weaves words to create impactful narratives that resonate with audiences across various industries. Throughout her career, Heena has collaborated with diverse clients, ranging from startups to established corporations, and has delivered an extensive array of content, including articles, blog posts, website copy, social media content, and marketing materials. She has touched almost all domains while writing content, however, eCommerce and Technology are her most favoured.