WordPress Plugin Vulnerability Report – Abandoned Cart Lite for WooCommerce – Cross-Site Request Forgery

Plugin Name: Abandoned Cart Lite for WooCommerce

Key Information:

  • Software Type: Plugin
  • Software Slug: woocommerce-abandoned-cart
  • Software Status: Active
  • Software Author: tychesoftwares
  • Software Downloads: 1,004,642
  • Active Installs: 30,000
  • Last Updated: December 1, 2023
  • Patched Versions: 5.16.2
  • Affected Versions: <= 5.16.1

Vulnerability Details:

  • Name: Abandoned Cart Lite for WooCommerce <= 5.16.1 - Cross-Site Request Forgery
  • Title: Cross-Site Request Forgery
  • Type: Cross-Site Request Forgery (CSRF)
  • CVSS Score: 5.3 (Medium)
  • Publicly Published: December 1, 2023
  • Description: The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.16.1. This is due to missing or incorrect nonce validation on the functions corresponding to AJAX actions. This makes it possible for unauthenticated attackers to dismiss notices and toggle template statuses among other things via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Summary:

The Abandoned Cart Lite for WooCommerce plugin has a vulnerability in versions up to and including 5.16.1 that allows for Cross-Site Request Forgery. This vulnerability has been patched in version 5.16.2.

Detailed Overview:

The Cross-Site Request Forgery vulnerability in the Abandoned Cart Lite plugin allows attackers to perform sensitive actions by tricking an admin user into clicking a specially crafted link. Due to missing nonce validation on AJAX actions, requests can be forged that dismiss admin notices or alter backend configuration. This could enable further attacks or cause issues with store functionality. The vulnerability is fixed by adding proper nonce verification in version 5.16.2.

Advice for Users:

  1. Immediate Action: Update to version 5.16.2 or later to patch vulnerability.
  2. Check for Signs of Vulnerability: Review plugin settings and functionality for any unauthorized changes.
  3. Alternate Plugins: Consider alternate abandoned cart plugins as a precaution.
  4. Stay Updated: Always keep plugins updated to latest versions.

Conclusion:

The quick fix by the developers addresses a medium severity vulnerability. Users should update as soon as possible to version 5.16.2.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-abandoned-cart

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-abandoned-cart/abandoned-cart-lite-for-woocommerce-5161-cross-site-request-forgery

Detailed Report:

Do you run an online store on WordPress and Woocommerce? If you use the popular Abandoned Cart Lite plugin to recover lost sales from over 30,000 shops, listen up: a serious security vulnerability was just discovered that puts your site at risk until patched.

This plugin helps store owners re-engage the 30-60% of customers who abandon their shopping carts by sending follow up emails and notifications. However, all versions up to and including 5.16.1 contain a cross-site request forgery (CSRF) vulnerability. This allows attackers to potentially modify settings or dismiss admin alerts without authorization through crafted links.

While updating to version 5.16.2 fixes this bug, left unpatched, this medium severity vulnerability lets hackers carry out further malicious actions. For example, they could change plugin configs to alter or break site functionality. There is also the risk of using this access point to install backdoors, redirect traffic, or steal sensitive customer and business data.

Unfortunately, there have been over 10 previous vulnerabilities found in this plugin since 2015 that also enabled site takeovers and unauthorized access. This underscores the absolute importance of prompt updates even for popular, well-used plugins.

To secure your website, update Abandoned Cart Lite to 5.16.2 now. Don’t ignore update notices for plugins - set calendar reminders if needed! Web technology evolves incredibly fast. New vulnerabilities in all software constantly emerge. Failing to update plugins, themes and WordPress core opens the door wide for cyber attacks and site crashes.

Security vulnerabilities like this one demonstrate the importance of having WordPress experts regularly monitor, maintain and update your site. At Your WP Guy, we offer ongoing management to handle updates, security monitoring, backups, uptime and support so you can stop worrying and get back to growing your business.

Let us fully audit your site to check for any signs of this vulnerability or other issues. We'll immediately update any out-of-date plugins and harden your site's security. Chat with us anytime during business hours, schedule a call or call 678-995-5169 to lock down your online presence.

WordPress Plugin Vulnerability Report – Abandoned Cart Lite for WooCommerce – Cross-Site Request Forgery FAQs

Leave a Comment