WordPress Plugin Vulnerability Report – Abandoned Cart Lite for WooCommerce – Improper Authorization Vulnerabilities

Plugin Name: Abandoned Cart Lite for WooCommerce

Key Information:

  • Software Type: Plugin
  • Software Slug: woocommerce-abandoned-cart
  • Software Status: Active
  • Software Author: tychesoftwares
  • Software Downloads: 995,970
  • Active Installs: 30,000
  • Last Updated: November 21, 2023
  • Patched Versions: 5.16.1
  • Affected Versions: < 5.16.1

Vulnerability Details:

  • Name: Abandoned Cart Lite for WooCommerce <= 5.16.0 - Improper Authorization via wcal_delete_expired_used_coupon_code
  • Title: Improper Authorization via wcal_delete_expired_used_coupon_code
  • Type: Improper Authorization
  • CVSS Score: 3.1 (Low)
  • Publicly Published: November 21, 2023
  • Description: The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to unauthorized loss of data due to invalid logic in the capability check present in the wcal_delete_expired_used_coupon_code function in all versions up to and including 5.16.0. This makes it possible for authenticated attackers with subscriber privileges or above to delete expired used coupon codes, granted they are able to obtain a nonce via a separate vulnerability.

Summary:

The Abandoned Cart Lite for WooCommerce plugin for WordPress has improper authorization vulnerabilities in versions up to and including 5.16.0 that could allow authorized users to improperly delete data or unauthorized users to access data. These vulnerabilities have been patched in version 5.16.1.

References:

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-abandoned-cart

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-abandoned-cart/abandoned-cart-lite-for-woocommerce-5160-improper-authorization-via-wcal-delete-expired-used-coupon-code

https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/woocommerce-abandoned-cart/abandoned-cart-lite-for-woocommerce-5160-improper-authorization-via-wcal-preview-emails

Detailed Report:

Keeping your WordPress site secure requires constant vigilance - from strong passwords to regular backups to prompt software updates. Unfortunately, too often critical security patches go ignored, leaving thousands of websites exposed and vulnerable to attack.

Case in point: recently disclosed authorization flaws in the popular Abandoned Cart Lite for WooCommerce plugin. Versions prior to 5.16.1 contain weaknesses that could enable unauthorized access or data loss. With over 30,000 active installs, many ecommerce sites are likely affected and don’t even know it.

About the Plugin

The Abandoned Cart Lite plugin, developed by tychesoftwares, is actively used on 30,000 online stores powered by WooCommerce. It has been downloaded over 995,000 times since initial release in 2015. The plugin enables shop owners to capture abandoned carts and send reminders to recover lost sales.

The Vulnerability

Researchers recently discovered two improper authorization vulnerabilities impacting Abandoned Cart Lite versions up to and including 5.16.0.

The first flaw allows authenticated subscribers and higher to improperly delete expired used coupon codes. The second permits unauthorized unauthenticated attackers to preview emails. An attacker would need a valid nonce value from elsewhere to exploit either vulnerability.

Risks & Impacts

Though CVSS scores are relatively low at 3.1 and 3.7, if exploited these flaws mean attackers could potentially access, modify or delete data without permission. For online shops, this could translate into financial fraud, stolen customer information, and data destruction.

Staying Secure

This situation highlights precisely why staying on top of updates is so critical. Developers work hard to patch bugs, but if you don’t install those patches attackers can and will exploit them. Make sure to register with services like Wordfence that alert when vulnerabilities in active plugins are disclosed. Enlist professional assistance to audit your site and verify software is fully updated across the board.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WordPress Plugin Vulnerability Report – Abandoned Cart Lite for WooCommerce – Improper Authorization Vulnerabilities FAQs

Leave a Comment