Authentication Bypass in Abandoned Cart Lite for WooCommerce Plugin by Tyche Softwares
CVE-2023-2986
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 8 June 2023
Badges
Summary
The Abandoned Cart Lite for WooCommerce plugin for WordPress has a significant vulnerability that allows attackers to bypass authentication due to inadequate encryption used during the decoding of links for abandoned carts. This flaw primarily affects versions up to and including 5.14.2, permitting unauthenticated users to log in as actual customers who have abandoned their carts. The security of the plugin was enhanced in subsequent versions, specifically 5.15.1, which addressed vulnerabilities associated with historical checkout links. Further improvements were made in version 5.15.2 to ensure that null key values could not exploit the authentication bypass.
Affected Version(s)
Abandoned Cart Lite for WooCommerce * <= 5.15.1
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- π‘
Public PoC available
- πΎ
Exploit known to exist
Vulnerability published
Vulnerability Reserved