Two Critical WordPress Plugin Vulnerabilities expose Thousands of Sites
Take action: The most used CMS platform in the world is also the most vulnerable - simply by way of all the plugins. If you haven't activated automatic patching, take the 10 minutes to patch your Abandoned Cart Lite for WooCommerce and BookIt
Learn More
Two WordPress plugins have critical vulnerabilities that allow authentication bypass. These plugins have been installed on numerous websites, making them potential targets for attackers.
- CVE-2023-2986 and given a high CVSS score of 9.8/10 is a critical vulnerability in Abandoned Cart Lite for WooCommerce, which has over 30,000 active installations. The vulnerability, identified as , allows an attacker to exploit the plugin's functionality. The plugin sends notifications to customers who haven't completed their purchase, containing a link that automatically logs them back in to continue. This link includes an encrypted value that identifies the abandoned cart.
The flaw lies in the hardcoded encryption key used by the plugin and the fact that the cart identifiers are generated sequentially. By using the encryption key, an attacker can create identifiers for other users' carts. While this attack can only be executed against abandoned carts, it can potentially grant unauthorized access to customer-level user accounts. In more serious cases, it may even allow access to administrator-level accounts that are testing the abandoned cart feature, leading to a complete compromise of the affected website.
The vulnerability in Abandoned Cart Lite for WooCommerce was addressed in version 5.15.1, which was released on June 13.
- CVE-2023-2834, assigned a CVSS score of 9.8/10 is critical-severity vulnerability in a WordPress plugin called BookIt, which has more than 10,000 active installations. This flaw allows an unauthenticated attacker to log in as any existing user if they know the user's email address.
The BookIt plugin enables the embedding of an appointment booking calendar into WordPress sites. Users can book appointments by providing their name, email address, and password. However, due to insufficient input validation when processing appointment bookings, the plugin fails to adequately verify user-supplied input.
This oversight allows an attacker to associate their request with an existing user account by using their email address and subsequently set the authentication cookies without requiring password verification. This vulnerability can enable attackers to gain unauthorized access to any account on the affected site, including administrator accounts, as long as the attacker possesses the targeted user's email address.
The security flaw in BookIt was patched with the release of version 2.3.8 on June 13.
