Abandoned Cart Lite Plugin Vulnerability Puts Thousands of Webshops and Consumers at Risk

Estimated read time 2 min read

If you’re a cybersecurity enthusiast or a frequent online shopper, you must have heard of the recent vulnerability affecting webshops. It’s the kind of news that catches your attention and makes you wonder: just how safe are we in this digital marketplace?

What’s the Issue?

Security firm Wordfence has discovered a vulnerability in Abandoned Cart Lite, a popular plugin for WooCommerce, which itself is a plugin that transforms WordPress sites into online stores. This plugin, installed on more than five million WordPress sites, aids in managing “abandoned carts” in webshops, and is currently active in over 30,000 webstores.

Here’s how it works: If you’ve ever left items in your cart without purchasing, you’ve probably received a link to your abandoned cart, encouraging you to complete the purchase. This link is created by Abandoned Cart Lite, and it is encrypted for security.

However, the problem lies in the fact that the encryption key used to generate this link is hardcoded into the plugin. This means it’s readily available for attackers, which is less than ideal.

How Bad is It?

Using this encryption key, an attacker can supply the cart ID of another user and generate a link that allows them to log in as that user. The cart ID is consecutive, starting at one, which makes it an easy target for attackers. In theory, access could also be gained to the administrator’s account, especially if the admin has tested whether the plugin is functioning correctly.

This security flaw has been given a whopping 9.8 out of 10 on the vulnerability scale, so yes, it’s bad.

What Now?

The developer of the plugin patched this issue in version 5.15.1, released on June 6th. However, WordPress data shows that thousands of webshops have yet to install the update.

Patch notes for vulnerability in Woocommerce plugin
Patch notes for vulnerability in Woocommerce plugin

If you run a WooCommerce webshop and use this plugin, make sure to update immediately. For consumers, it’s a reminder to be cautious and consider the safety of your information when shopping online.

Done reading? Continue with Cyberattack Defense 101: Essential Tips for Everyone

Reza Rafati https://cyberwarzone.com

Reza Rafati, based in the Netherlands, is the founder of Cyberwarzone.com. An industry professional providing insightful commentary on infosec, cybercrime, cyberwar, and threat intelligence, Reza dedicates his work to bolster digital defenses and promote cyber awareness.

You May Also Like

More From Author