June 22, 2023

A critical security flaw has been discovered in the WordPress “Abandoned Cart Lite for WooCommerce” plugin.

Successful exploitation may allow threat actors to access the accounts of users who have abandoned their carts, who are typically consumers but may also include other high-level users

The Vulnerability

• CVE-2023-2986–  (CVSS 3.1: 9.8, Critical)  Authentication bypass vulnerability caused by insufficient encryption protections applied when customers are notified when they abandon their shopping carts on e-commerce sites without completing the purchase.
  The encryption key, in particular, is hard-coded in the plugin, allowing malicious actors to login as a user with an abandoned cart.

Affected Versions

WordPress “Abandoned Cart Lite for WooCommerce” plugin – versions prior to 5.15.1.

Mitigation

CYREBRO recommend to update to the latest plugin version – 5.15.2 as soon as possible.

References: WordDfence Advisory