– Discovery of the Authentication Bypass vulnerability in Abandoned Cart Lite for WooCommerce. Further security hardening was introduced in version 5.15.1 that ensures sites are no longer vulnerable through old abandoned cart links, therefore, we recommend making sure all sites are updated to that version. We would like to make a note that the developers made the functionality backward compatible in version 5.15.0, which means that old abandoned carts can be exploited even if the plugin is updated to that version. Regardless, this is a severe vulnerability that can lead to customer sensitive information being exposed at its best and complete compromise of a site at its worst. However, there is a chance that by exploiting the authentication bypass vulnerability, an attacker can gain access to an administrative user account, or another higher-level user account if they have been testing the abandoned cart functionality. Considering the requirement of an abandoned cart, in most cases an attacker will only be able to log in as a customer-level user. $user_id = isset( $get_user_results ) & count( $get_user_results ) > 0 ? (int) $get_user_results->user_id : 0 Īn attacker is limited to what users they can log in as due to the fact that it is only possible to login as a user with an abandoned cart. 'ac_abandoned_cart_history_lite` WHERE id = %d', $get_user_results = $wpdb->get_results( //phpcs:ignore $abandoned_id = $get_ac_id_results->abandoned_order_id $get_user_results = array() Vulnerability Summary from Wordfence Intelligenceĭescription: Abandoned Cart Lite for WooCommerce get_results( We urge users to update their sites with the latest patched version of Abandoned Cart Lite for WooCommerce, version 5.15.1 at the time of this writing, as soon as possible. We would like to commend the Tyche Softwares development team for their prompt response and timely patch. After providing full disclosure details, the developer released a patch on June 6, 2023. We contacted Tyche Softwares on May 30, 2023, and received a response the next day. Sites still using the free version of Wordfence will receive the same protection on July 7, 2023. Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 7, 2023. This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met. On May 29, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in Tyche Softwares’s Abandoned Cart Lite for WooCommerce plugin, which is actively installed on more than 30,000 WordPress websites. Tyche Softwares Addresses Authentication Bypass Vulnerability in Abandoned Cart Lite for WooCommerce WordPress Plugin
0 Comments
Leave a Reply. |