CVE-2023-2986
published 2023-06-08CVE-2023-2986: The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.14.2. This is due to…
PriorityP189critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
42.81%
98.5th percentile
The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.14.2. This is due to insufficient encryption on the user being supplied during the abandoned cart link decode through the plugin. This allows unauthenticated attackers to log in as users who have abandoned the cart, who are typically customers. Further security hardening was introduced in version 5.15.1 that ensures sites are no longer vulnerable through historical check-out links, and additional hardening was introduced in version 5.15.2 that ensured null key values wouldn't permit the authentication bypass.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tychesoftwares | abandoned_cart_lite_for_woocommerce | <= 5.14.2 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/?wcal_action=checkout_link&user_email=test&validate=
path/wp-content/plugins/woocommerce-abandoned-cart/
- →Detect exploitation attempts by monitoring GET requests to the WordPress site containing the query parameters `wcal_action=checkout_link` and `validate=`, which are the hallmarks of CVE-2023-2986 authentication bypass attempts.
- →A successful exploit results in an HTTP 302 redirect response that sets a `wordpress_logged_in_` cookie and redirects to `/checkout/`. Monitor for unauthenticated sessions receiving this cookie via the abandoned cart link endpoint.
- →The plugin uses a hardcoded weak encryption secret key `qJB0rGtIn5UB1xG03efyCp` for AES CTR-mode encryption of the cart validation token. Presence of this key in plugin source or traffic indicates a vulnerable installation.
- →Presence of the plugin directory `/wp-content/plugins/woocommerce-abandoned-cart/` in HTTP response bodies can be used to fingerprint potentially vulnerable WordPress installations for targeted scanning.
- ·The authentication bypass affects Abandoned Cart Lite for WooCommerce versions up to and including 5.14.2. Version 5.15.1 added hardening against historical checkout links, and 5.15.2 additionally blocked null key values. Both patches are required for full remediation. ↗
- ·The exploit uses AES CTR-mode encryption with an empty password OR the hardcoded secret `qJB0rGtIn5UB1xG03efyCp` to forge a valid `validate` token. Detection rules should account for both variants (colon-delimited dual-token payload in the `validate` parameter).
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
Abandoned Cart Lite for WooCommerce Plugin up to 5.14.2 on WordPress improper authentication (ID 2922242)
vuldb·2026-04-09·CVSS 9.8
CVE-2023-2986 [CRITICAL] Abandoned Cart Lite for WooCommerce Plugin up to 5.14.2 on WordPress improper authentication (ID 2922242)
A vulnerability was found in Abandoned Cart Lite for WooCommerce Plugin up to 5.14.2 on WordPress and classified as critical. This issue affects some unknown processing. Executing a manipulation can lead to improper authentication.
The identification of this vulnerability is CVE-2023-2986. The attack may be launched remotely. There is no exploit available.
GHSA
GHSA-54x7-q6m6-mjqv: The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5
ghsa_unreviewed·2023-06-08
CVE-2023-2986 [CRITICAL] CWE-288 GHSA-54x7-q6m6-mjqv: The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5
The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.14.2. This is due to insufficient encryption on the user being supplied during the abandoned cart link decode through the plugin. This allows unauthenticated attackers to log in as users who have abandoned the cart, which users are typically customers.
VulnCheck
Abandoned Cart Lite for WooCommerce plugin for WordPres Authentication Bypass Vulnerability
vulncheck·2023·CVSS 9.8
CVE-2023-2986 [CRITICAL] Abandoned Cart Lite for WooCommerce plugin for WordPres Authentication Bypass Vulnerability
Abandoned Cart Lite for WooCommerce plugin for WordPres Authentication Bypass Vulnerability
The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.14.2. This is due to insufficient encryption on the user being supplied during the abandoned cart link decode through the plugin. This allows unauthenticated attackers to log in as users who have abandoned the cart, who are typically customers. Further security hardening was introduced in version 5.15.1 that ensures sites are no longer vulnerable through historical check-out links, and additional hardening was introduced in version 5.15.2 that ensured null key values wouldn't permit the authentication bypass.
Affected: tychesoftwares abandoned_cart_lite_for_woocom
No detection rules found.
Nuclei
Abandoned Cart Lite for WooCommerce - Authentication Bypass
nuclei·CVSS 9.8
CVE-2023-2986 [CRITICAL] Abandoned Cart Lite for WooCommerce - Authentication Bypass
Abandoned Cart Lite for WooCommerce - Authentication Bypass
The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.14.2. This is due to insufficient encryption on the user being supplied during the abandoned cart link decode through the plugin. This allows unauthenticated attackers to log in as users who have abandoned the cart, who are typically customers. Further security hardening was introduced in version 5.15.1 that ensures sites are no longer vulnerable through historical check-out links, and additional hardening was introduced in version 5.15.2 that ensured null key values wouldn't permit the authentication bypass.
Template:
id: CVE-2023-2986
info:
name: Abandoned Cart Lite for WooCommerce - Authent
https://github.com/Ayantaker/CVE-2023-2986https://github.com/TycheSoftwares/woocommerce-abandoned-cart/pull/885#issuecomment-1601813615https://plugins.trac.wordpress.org/browser/woocommerce-abandoned-cart/trunk/woocommerce-ac.php#L1815https://plugins.trac.wordpress.org/browser/woocommerce-abandoned-cart/trunk/woocommerce-ac.php?rev=2916178#L1800https://plugins.trac.wordpress.org/changeset/2922242/https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2925274%40woocommerce-abandoned-cart&new=2925274%40woocommerce-abandoned-cart&sfp_email=&sfph_mail=https://www.wordfence.com/blog/2023/06/tyche-softwares-addresses-authentication-bypass-vulnerability-in-abandoned-cart-lite-for-woocommerce-wordpress-plugin/https://www.wordfence.com/threat-intel/vulnerabilities/id/68052614-204f-4237-af0e-4b8210ebd59f?source=cvehttps://github.com/Ayantaker/CVE-2023-2986https://github.com/TycheSoftwares/woocommerce-abandoned-cart/pull/885#issuecomment-1601813615https://plugins.trac.wordpress.org/browser/woocommerce-abandoned-cart/trunk/woocommerce-ac.php#L1815https://plugins.trac.wordpress.org/browser/woocommerce-abandoned-cart/trunk/woocommerce-ac.php?rev=2916178#L1800https://plugins.trac.wordpress.org/changeset/2922242/https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=2925274%40woocommerce-abandoned-cart&new=2925274%40woocommerce-abandoned-cart&sfp_email=&sfph_mail=https://www.wordfence.com/blog/2023/06/tyche-softwares-addresses-authentication-bypass-vulnerability-in-abandoned-cart-lite-for-woocommerce-wordpress-plugin/https://www.wordfence.com/threat-intel/vulnerabilities/id/68052614-204f-4237-af0e-4b8210ebd59f?source=cve
2023-06-08
Published
Exploited in the wild