Critical Vulnerability Found in WordPress E-Commerce Plugin Used by Over 30,000 Online Stores

It has been reported that the WordPress "Abandoned Cart Lite for WooCommerce" plugin, installed on more than 30,000 websites, has a critical security vulnerability. According to an advisory from Defiant's Wordfence, the vulnerability allows attackers to gain access to the accounts of users who have abandoned their carts. The severity of the vulnerability, tracked as CVE-2023-2986, has been rated 9.8 out of 10 on the CVSS scoring system. It affects all versions of the plugin, including versions 5.14.2 and earlier.

The issue stems from an authentication bypass due to inadequate encryption protections. When customers are notified about their abandoned shopping carts on e-commerce sites, the encryption key used is hardcoded in the plugin. This allows malicious actors to log in as a user with an abandoned cart. Security researcher István Márton mentioned that there is a possibility of exploiting the authentication bypass vulnerability to gain access to an administrative or higher-level user account.

Vulnerability Patched in Early June

The plugin developer, Tyche Softwares, addressed the vulnerability with version 5.15.0 on June 6, 2023, and the current version is 5.15.2. The disclosure of this vulnerability coincides with Wordfence's revelation of another authentication bypass flaw in the "Booking Calendar | Appointment Booking | BookIt" plugin by StylemixThemes. This flaw, tracked as CVE-2023-2834 with a CVSS score of 9.8, affects over 10,000 WordPress installations. It arises from insufficient verification during the booking appointment process, allowing unauthenticated attackers to log in as any existing user if they have access to the user's email. The issue has been resolved in version 2.3.8, released on June 13, 2023, while versions 2.3.7 and earlier are affected.

Why Are WordPress Plugins Frequently Targeted by Hackers?

WordPress plugins are often targeted by hackers due to several reasons:

Popularity and Wide Usage: WordPress is one of the most popular content management systems (CMS) worldwide, powering a significant portion of websites on the internet. The extensive usage of WordPress makes it an attractive target for hackers. Since plugins enhance the functionality of WordPress websites, they are widely adopted by website owners. Attackers know that targeting popular plugins can potentially compromise a large number of websites.

Vulnerabilities and Security Issues: Like any software, WordPress plugins can have vulnerabilities and security weaknesses. These vulnerabilities can be exploited by hackers to gain unauthorized access, inject malicious code, or perform other malicious activities. Plugins may have coding errors, insufficient validation checks, or inadequate security measures that make them susceptible to attacks.

Lack of Updates and Maintenance: Some website owners may neglect to keep their WordPress plugins up to date or fail to maintain them properly. Outdated plugins can have known vulnerabilities that hackers can exploit. Additionally, plugins that are no longer maintained or supported by developers may not receive timely security patches, leaving them vulnerable to attacks.

Third-Party Plugin Developers: WordPress plugins are often developed by third-party developers who may have varying levels of security expertise. While many developers prioritize security, others may not have the necessary knowledge or resources to implement robust security measures. Hackers target plugins developed by less security-conscious developers to exploit weaknesses in their code.

Backdoor Entry: Plugins can serve as a backdoor entry point for attackers to gain access to a WordPress website. By compromising a plugin, hackers can bypass security measures and gain control over the entire website. Once inside, they can manipulate content, steal sensitive information, or carry out other malicious activities.

To mitigate the risk associated with WordPress plugins, it is crucial for website owners to follow best practices such as:

• Regularly update plugins to the latest versions that include security patches.
• Choose plugins from reputable sources and developers with a track record of providing regular updates and support.
• Remove or deactivate unused plugins to minimize the attack surface.
• Employ a reliable security plugin that can detect and protect against potential threats.
• Regularly monitor the security of the website and implement additional security measures, such as strong passwords and two-factor authentication.

By taking these precautions, website owners can reduce the likelihood of falling victim to attacks targeting WordPress plugins.