PT-2023-22450 · WordPress · Abandoned Cart Lite For Woocommerce

Ayan Saha

Published

2023-06-07

Updated

2025-06-12

CVE-2023-2986

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Abandoned Cart Lite for WooCommerce plugin for WordPress versions up to, and including, 5.14.2

Description The issue is due to insufficient encryption on the user being supplied during the abandoned cart link decode through the plugin. This allows unauthenticated attackers to log in as users who have abandoned the cart, who are typically customers.

Recommendations For versions up to, and including, 5.14.2, update to version 5.15.1 or later to ensure sites are no longer vulnerable through historical check-out links. Additionally, updating to version 5.15.2 will ensure null key values won't permit the authentication bypass.

Exploit

Fix

Authentication Bypass Using an Alternate Path or Channel

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-288

Related Identifiers

CVE-2023-2986

Affected Products

Abandoned Cart Lite For Woocommerce

PT-2023-22450 · WordPress · Abandoned Cart Lite For Woocommerce

CVE-2023-2986

Weakness Enumeration

Related Identifiers

Affected Products

References · 15