A significant security vulnerability has been uncovered in the “Abandoned Cart Lite for WooCommerce” plugin, which is actively utilized on over 30,000 websites. This critical flaw enables potential attackers to access the accounts of users who have left items in their shopping carts. This includes not only standard customers but could extend to higher-level users under specific conditions, as noted by cybersecurity firm Defiant’s Wordfence.
The vulnerability, identified as CVE-2023-2986, has been rated an alarming 9.8 out of 10 in severity using the Common Vulnerability Scoring System (CVSS). It affects all versions of the plugin, with no versions prior to 5.14.2 being exempt from this risk.
At the heart of the issue lies an authentication bypass resulting from inadequate encryption measures during the notification process for customers who abandon their carts on e-commerce platforms. Specifically, a hard-coded encryption key within the plugin permits malicious actors to exploit this flaw and log in as users with abandoned carts.
Security researcher István Márton highlighted the potential ramifications of this vulnerability, indicating that it could enable attackers to gain access not only to customer accounts but potentially to administrative accounts or other elevated user accounts if they have previously interacted with the abandoned cart feature.
The vulnerability was responsibly disclosed on May 30, 2023, and addressed by the plugin’s developer, Tyche Softwares, on June 6, 2023, with the release of version 5.15.0. The most recent version of Abandoned Cart Lite for WooCommerce is now 5.15.2, underscoring the urgency for website owners to update their plugins promptly.
This vulnerability is revealed alongside another serious authentication bypass flaw impacting the “Booking Calendar | Appointment Booking | BookIt” plugin from StylemixThemes, which has also been assessed with a CVSS score of 9.8 and affects over 10,000 installations of WordPress. The issue stems from insufficient verification during the appointment booking process, allowing unauthenticated attackers access to any user account, including administrative privileges, if they possess the email associated with that account.
The flaw in the Booking Calendar plugin, which affects all versions up to 2.3.7, was rectified in release version 2.3.8 on June 13, 2023. As both of these vulnerabilities highlight the risks present within popular WordPress plugins, it is vital for business owners to remain vigilant regarding plugin updates and security protocols.
From a cybersecurity perspective, the tactics relevant to these types of vulnerabilities could align with those classified under the MITRE ATT&CK framework, including initial access through exploitation of vulnerabilities, persistence through unauthorized access to user accounts, and privilege escalation that may allow attackers to gain administrative control. Safeguarding against such vulnerabilities not only requires software updates but a comprehensive understanding of risk management within the domain of e-commerce.
