CVE-2023-2986: Abandoned Cart Lite for WooCommerce Plugin Faces Authentication Bypass Vulnerability
Today we bring to you an urgent security update concerning the well-known WordPress plugin ‘Abandoned Cart Lite for WooCommerce,’ a tool that more than 30,000 websites across the globe have incorporated into their business operations. The plugin is currently under threat from a serious security vulnerability, a problematic authentication bypass issue that can put both your website and customer data at risk.
Digital shopping carts left abandoned are not just revenue losses but also perplexing puzzles that often leave e-commerce business owners scratching their heads. Why did a potential customer load up their cart only to abandon it halfway? How can these customers be lured back into completing the purchase? Abandoned Cart Lite for WooCommerce is designed to address this puzzle. It allows store owners to send periodic reminders and personalized offers via email, text, and messenger to re-engage customers who have left their shopping carts idle.
However, a sinister issue has arisen that threatens this otherwise beneficial tool. The Abandoned Cart Lite for WooCommerce plugin is currently exposed to an authentication bypass vulnerability in versions up to and including 5.14.2. The vulnerability, which is tracked as CVE-2023-2986, has a CVSS score of 9.8.
The root of the problem lies in the insufficient encryption used during the process of decoding the abandoned cart link through the plugin. This security gap gives an unauthenticated attacker the opportunity to log in as any user who has abandoned a cart, potentially compromising the account information of customers.
Wordfence researcher Lana Codes identified the vulnerability, and there is already evidence of hackers attempting to exploit this security hole. Wordfence’s logs note that “Wordfence blocked 3 attacks targeting this vulnerability in the past 24 hours.”
Given the serious nature of the CVE-2023-2986 security vulnerability, action must be taken swiftly to ensure your website and customer data remain safe. If you’re currently using the Abandoned Cart Lite for the WooCommerce plugin, it is essential to upgrade to version 5.15.0 immediately. This new update has been released to address and patch the security vulnerability, offering your online store the safety it needs.