Select Page

A critical security flaw has been disclosed in the WordPress “Abandoned Cart Lite for WooCommerce” plugin that’s installed on more than 30,000 websites.

“This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met,” Defiant’s Wordfence said in an advisory.

Tracked as CVE-2023-2986, the shortcoming has been rated 9.8 out of 10 for severity on the CVSS scoring system. It impacts all versions of the plugin, including and prior to versions 5.14.2.

The problem, at its core, is a case of authentication bypass that arises as a result of insufficient encryption protections that are applied when customers are notified when they have abandoned their shopping carts on e-commerce sites without completing the purchase.

Specifically, the encryption key is hard-coded in the plugin, thereby allowing malicious actors to login as a user with an abandoned cart.

images from Hacker News