A critical security flaw has been disclosed in the WordPress "Abandoned Cart Lite for WooCommerce" plugin that's installed on more than 30,000 websites.
"This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met," Defiant's Wordfence said in an advisory.
Tracked as CVE-2023-2986, the shortcoming has been rated 9.8 out of 10 for severity on the CVSS scoring system. It impacts all versions of the plugin, including and prior to versions 5.14.2.
The problem, at its core, is a case of authentication bypass that arises as a result of insufficient encryption protections that are applied when customers are notified when they have abandoned their shopping carts on e-commerce sites without completing the purchase.
Specifically, the encryption key is hard-coded in the plugin, thereby allowing malicious actors to login as a user with an abandoned cart.
"However, there is a chance that by exploiting the authentication bypass vulnerability, an attacker can gain access to an administrative user account, or another higher-level user account if they have been testing the abandoned cart functionality," security researcher István Márton said.
Following responsible disclosure on May 30, 2023, the vulnerability was addressed by the plugin developer, Tyche Softwares, on June 6, 2023, with version 5.15.0. The current version of Abandoned Cart Lite for WooCommerce is 5.15.2.
The disclosure comes as Wordfence revealed another authentication bypass flaw impacting StylemixThemes' "Booking Calendar | Appointment Booking | BookIt" plugin (CVE-2023-2834, CVSS score: 9.8) that has over 10,000 WordPress installs.
"This is due to insufficient verification on the user being supplied during booking an appointment through the plugin," Márton explained. "This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the email."
The flaw, affecting versions 2.3.7 and earlier, has been addressed in version 2.3.8, which was released on June 13, 2023.