Security News > 2023 > June > Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites

Critical Flaw Found in WordPress Plugin for WooCommerce Used by 30,000 Websites
2023-06-22 10:17

A critical security flaw has been disclosed in the WordPress "Abandoned Cart Lite for WooCommerce" plugin that's installed on more than 30,000 websites.

The problem, at its core, is a case of authentication bypass that arises as a result of insufficient encryption protections that are applied when customers are notified when they have abandoned their shopping carts on e-commerce sites without completing the purchase.

Specifically, the encryption key is hard-coded in the plugin, thereby allowing malicious actors to login as a user with an abandoned cart.

Following responsible disclosure on May 30, 2023, the vulnerability was addressed by the plugin developer, Tyche Softwares, on June 6, 2023, with version 5.15.0.

The current version of Abandoned Cart Lite for WooCommerce is 5.15.2.

The flaw, affecting versions 2.3.7 and earlier, has been addressed in version 2.3.8, which was released on June 13, 2023.


News URL

https://thehackernews.com/2023/06/critical-flaw-found-in-wordpress-plugin.html

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Wordpress 49 36 408 104 29 577
Woocommerce 33 2 42 17 2 63
Plugin 2 0 13 0 0 13