Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites
Cyber Security Threat Summary:
“A critical security flaw has been disclosed in the WordPress "Abandoned Cart Lite for WooCommerce" plugin that's installed on more than 30,000 websites. ‘This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met,’ Defiant's Wordfence said in an advisory. Tracked as CVE-2023-2986, the shortcoming has been rated 9.8 out of 10 for severity on the CVSS scoring system. It impacts all versions of the plugin, including and prior to versions 5.14.2. The problem, at its core, is a case of authentication bypass that arises as a result of insufficient encryption protections that are applied when customers are notified when they have abandoned their shopping carts on e-commerce sites without completing the purchase. Specifically, the encryption key is hard-coded in the plugin, thereby allowing malicious actors to login as a user with an abandoned cart” (The Hacker News, 2023).
Security Officer Comments:
The flaw was addressed by the plugin developer on June 6, 2023, with the release of Abandoned Cart Lite for WooCommerce version 5.15.0. Researchers note that this flaw could be exploited by a threat actor to gain access to an administrative user account, thereby enabling the attacker to take complete control of websites running the vulnerable versions of the plugin. As of writing, WordPress hasn’t mentioned whether this flaw has been exploited in attacks in the wild. However, given the disclosure, it won’t be long before actors leverage the vulnerability in attacks.
Suggested Correction(s):
Administrators of websites running the vulnerable plugin should ensure they update to the latest version as soon as possible to prevent potential attacks.
Link(s):
https://thehackernews.com/2023/06/critical-flaw-found-in-wordpress-plugin.html