Another vulnerability in the popular WordPress plugin, “Abandoned Cart Lite for WooCommerce,” was exposed. The plugin is currently active on over 30,000 websites.
According to a recent advisory by Defiant’s Wordfence, this vulnerability exposes a potential risk for attackers to gain unauthorized access to user accounts associated with abandoned shopping carts. While primarily affecting customers, the vulnerability can also impact other high-level users under certain conditions.
The vulnerability, identified as CVE-2023-2986 and rated with a severity score of 9.8 out of 10 on the CVSS scale, affects all plugin versions, including versions 5.14.2 and earlier. The issue stems from inadequate encryption measures when notifying customers about their abandoned carts on e-commerce platforms.
The core problem lies in the hardcoded encryption key within the plugin, which enables malicious actors to log in as users with abandoned carts. This vulnerability can sometimes grant unauthorized access to administrative or higher-level accounts, potentially compromising sensitive functionalities.
To address this security flaw, the plugin developer, Tyche Software’s, promptly responded to responsible disclosure and released a fix on June 6, 2023, as version 5.15.0. The latest version available is 5.15.2, and users should endeavour to update their installations to ensure protection against this vulnerability.
In a separate disclosure, security researcher István Márton and Wordfence also revealed an authentication bypass vulnerability in StylemixThemes’ “Booking Calendar | Appointment Booking | BookIt” plugin. This flaw, identified as CVE-2023-2834 and scoring 9.8 on the CVSS scale, impacts over 10,000 WordPress installations.
The vulnerability results from inadequate verification during the appointment booking, specifically related to the user credentials supplied. Exploiting this flaw, unauthenticated attackers can log in as any existing user, including administrators, provided they can access the corresponding email address.
The plugin developer has addressed this authentication bypass vulnerability in version 2.3.8, released on June 13, 2023, effectively resolving the issue found in previous versions (2.3.7 and earlier).
Website administrators should update the latest version of the “Abandoned Cart Lite for WooCommerce” and “Booking Calendar | Appointment Booking | BookIt” plugins to mitigate the associated security risks. Maintaining vigilance and promptly applying security patches is crucial to ensure the integrity and protection of WordPress installations.