Threat Advisory

Critical Flaw Uncovered in WordPress Plugin Used by 30,000 Websites

June 28, 2023 | By Accorian

WordPress, the world’s most popular website builder has recently published a critical vulnerability in one of their plugins, Abandoned Cart Lite for WooCommerce. The plugin is used by approximately 30,000 websites. The vulnerability has been tracked as CVE-2023-2986 and has been assigned a CVSS score of 9.8.

 The vulnerability revolves around a broken access mechanism, which allows an adversary to gain unauthorized access to the accounts of users who have left their carts without completing the process of purchase basically, abandoned carts. According to the configuration of the Abandoned Cart Lite for WooCommerce plugin, a notification will be sent to customers who have not completed the process of purchasing. The notification has a link that automatically logs in the customer to the website to continue the process. Although this link contains an encrypted value that identifies the abandoned cart, the encryption key for this encrypted value is hardcoded in the plugin. This flaw allows adversaries to manipulate the abandoned cart id and gain access to the account associated with the abandoned cart.

To mitigate this vulnerability, Accorian strongly recommends organizations to update the Abandoned Cart Lite for WooCommerce plugin to the latest version 5.15.1. By applying this update, users can ensure that the encryption key is no longer hardcoded, thereby preventing unauthorized access to user accounts through manipulated abandoned cart identifiers. It is also recommended to keep the site up to date with all the future updates.


Threat Advisory

Team Accorian

Recent Post

Ready to Start?

Ready to Start?​

Drop your CVs to

Interested Position

Download Case study

Download SOC2 Guide