The WordPress “Abandoned Cart Lite for WooCommerce” plugin, which is installed on over 30,000 websites, has been found with a severe security problem.
This vulnerability allows an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met, according to an advisory from Defiant’s Wordfence.
The vulnerability, identified as CVE-2023-2986, has a CVSS severity rating of 9.8 out of 10. Every version of the plugin has been affected by it, including versions 5.14.2 and earlier.
The issue is an instance of authentication bypass that results from inadequate encryption safeguards used when clients are alerted after they have abandoned their shopping carts on e-commerce websites without making the transaction.
The encryption key is specifically hard-coded in the plugin, making it possible for fraudulent individuals to log in as users with abandoned carts.
According to security researcher István Márton, “there is a chance that by exploiting the authentication bypass vulnerability, an attacker can gain access to an administrative user account, or another higher-level user account if they have been testing the abandoned cart functionality”.
The vulnerability was fixed by the plugin’s creator, Tyche Softwares, on June 6, 2023, with version 5.15.0 after being responsibly disclosed on May 30, 2023. Abandoned Cart Lite for WooCommerce is currently at version 5.15.2.
With over 10,000 WordPress installations, StylemixThemes’ “Booking Calendar | Appointment Booking | BookIt” plugin (CVE-2023-2834, CVSS score: 9.8) has been exposed as having yet another authentication bypass problem by Wordfence.
Márton stated, “This is because the user’s information was not sufficiently verified while making an appointment using the plugin.” If they have access to the email, this enables unauthenticated attackers to log in as any current user on the website, such as an administrator.
With the help of version 2.3.8, published on June 13, 2023, the problem can be fixed that affected versions 2.3.7 and earlier, further stated.