Critical WooCommerce Plugin Vulnerability in WordPress Impacts 30,000 Sites
This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met.
The Common Vulnerability Scoring System (CVSS) has assigned the vulnerability, tagged as CVE-2023-2986, a severity rating of 9.8 out of 10. It affects every version of the plugin, including versions 5.14.2 and earlier.
Due to insufficient encryption of consumer notification links when customers leave their shopping carts on e-commerce websites, the vulnerability is a case of authentication bypass that takes place. Because the encryption key is hard-coded in the plugin, unscrupulous users can log in using the identity of a user who has abandoned their cart.
Due to this vulnerability, attackers may be able to access sensitive client information such as email addresses, billing details, and order history. Additionally, it might provide attackers access to user accounts so they can take over and make illicit purchases.
However, there is a chance that by exploiting the authentication bypass vulnerability, an attacker can gain access to an administrative user account, or another higher-level user account if they have been testing the abandoned cart functionality.
István Márton, Security Researcher
On May 30, 2023, Abandoned Cart Lite for WooCommerce’s vulnerability was appropriately reported. On June 6, 2023, Tyche Softwares, the company that created the plugin, released a patch that fixed the issue. The plugin is currently at version 5.15.2.
According to the Common Vulnerabilities Scoring System (CVSS), the vulnerability received a score of 9.8 out of 10, making it a significant vulnerability. Attackers could get through authentication and access private consumer information as a result.
Our Readers ALSO READ2 Million Websites at Risk Due to Vulnerability in Popular WordPress Plugin
This vulnerability was made public shortly after Wordfence discovered a different authentication bypass problem affecting the “Booking Calendar | Appointment Booking | BookIt” plugin from StylemixThemes, which has over 10,000 WordPress installations (CVE-2023-2834, CVSS score: 9.8). Security Researcher, Márton explained,
This is due to insufficient verification on the user being supplied during booking an appointment through the plugin. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email.
The flaw, affecting versions 2.3.7 and earlier, has been addressed in version 2.3.8, which was released on June 13, 2023.