Tyche Softwares Addresses Authentication Bypass Vulnerability in Abandoned Cart Lite for WooCommerce WordPress Plugin

On May 29, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in Tyche Softwares’s Abandoned Cart Lite for WooCommerce plugin, which is actively installed on more than 30,000 WordPress websites. This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met.

Wordfence PremiumWordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 7, 2023. Sites still using the free version of Wordfence will receive the same protection on July 7, 2023.

We contacted Tyche Softwares on May 30, 2023, and received a response the next day. After providing full disclosure details, the developer released a patch on June 6, 2023. We would like to commend the Tyche Softwares development team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Abandoned Cart Lite for WooCommerce, version 5.15.1 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: Abandoned Cart Lite for WooCommerce <= 5.14.2 – Authentication Bypass
Affected Plugin: Abandoned Cart Lite for WooCommerce
Plugin Slug: woocommerce-abandoned-cart
Affected Versions: <= 5.14.2
CVE ID: CVE-2023-2986
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Lana Codes
Fully Patched Version: 5.15.0

The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.14.2. This is due to insufficient encryption on the user being supplied during the abandoned cart link decode through the plugin. This allows unauthenticated attackers to log in as users who have abandoned the cart, who are typically customers.

Technical Analysis

The Abandoned Cart Lite for WooCommerce plugin, according to its settings, sends a notification to customers who have not completed the purchase process, who have, in other words, abandoned their cart. The notification contains a link that automatically logs in the customer to continue their purchase. Examining the code reveals that the link contains an encrypted value, which identifies the abandoned cart.

$validate_server_string = isset( $_GET ['validate'] ) ? rawurldecode( wp_unslash( $_GET ['validate'] ) ) : '';
$validate_server_string = str_replace( ' ', '+', $validate_server_string );
$validate_encoded_string = $validate_server_string;
$crypt_key = get_option( 'wcal_security_key' );
$link_decode = Wcal_Aes_Ctr::decrypt( $validate_encoded_string, $crypt_key, 256 );
$sent_email_id_pos = strpos( $link_decode, '&' );
$email_sent_id = substr( $link_decode, 0, $sent_email_id_pos );

The link only works if it contains the properly encrypted value, which requires the encryption key to create. However, we found that the encryption key is hardcoded in the plugin, which means that threat actors also have access to it. Due to this, it is possible to create a link using the key that includes the abandoned cart identifier of other users, since each cart identifier is a sequentially increasing number starting from one.

$get_ac_id_results = $wpdb->get_results(
	$wpdb->prepare(
		'SELECT abandoned_order_id FROM `' . $wpdb->prefix . 'ac_sent_history_lite` WHERE id = %d',
		$email_sent_id
	)
);
$abandoned_id      = $get_ac_id_results[0]->abandoned_order_id;
$get_user_results = array();
if ( $abandoned_id > 0 ) {
	$get_user_results  = $wpdb->get_results( //phpcs:ignore
		$wpdb->prepare(
			'SELECT user_id FROM `' . $wpdb->prefix . 'ac_abandoned_cart_history_lite` WHERE id = %d',
			$abandoned_id
		)
	);
}
$user_id = isset( $get_user_results ) && count( $get_user_results ) > 0 ? (int) $get_user_results[0]->user_id : 0;
wp_set_auth_cookie( $user_id );

An attacker is limited to what users they can log in as due to the fact that it is only possible to login as a user with an abandoned cart. Considering the requirement of an abandoned cart, in most cases an attacker will only be able to log in as a customer-level user. However, there is a chance that by exploiting the authentication bypass vulnerability, an attacker can gain access to an administrative user account, or another higher-level user account if they have been testing the abandoned cart functionality.

Security Notice and Recommendation

We would also like to draw attention to the fact that the developers have made the functionality backward compatible in version 5.15.0, which means that old abandoned carts can be exploited even if the plugin is updated. Therefore, considering the risks and disadvantages, we recommend that site owners delete old abandoned carts if using this version, for which there is a bulk action available in the plugin.

The screenshot shows how to delete old abandoned carts as a website owner.

Further security hardening was introduced in version 5.15.1 that ensures sites are no longer vulnerable through old abandoned cart links.

Disclosure Timeline

May 29, 2023 – Discovery of the Authentication Bypass vulnerability in Abandoned Cart Lite for WooCommerce.
May 30, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
May 31, 2023 – The vendor confirms the inbox for handling the discussion.
May 31, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.
June 6, 2023 – A fully patched version of the plugin, 5.15.0, is released.
June 7, 2023 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability. Please note we delayed the firewall rule to prevent completely breaking the plugin’s core functionality.
July 7, 2023 – Wordfence Free users receive the same protection.

Conclusion

In this blog post, we have detailed an Authentication Bypass vulnerability within the Abandoned Cart Lite for WooCommerce plugin affecting versions 5.14.2 and earlier. This vulnerability allows threat actors to bypass authentication and gain access to the accounts of users who have abandoned their carts. The vulnerability has been fully addressed in version 5.15.0 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Abandoned Cart Lite for WooCommerce.

Wordfence PremiumWordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on June 7, 2023. Sites still using the free version of Wordfence will receive the same protection on July 7, 2023.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

The post Tyche Softwares Addresses Authentication Bypass Vulnerability in Abandoned Cart Lite for WooCommerce WordPress Plugin appeared first on Wordfence.

Article Link: Tyche Softwares Addresses Authentication Bypass Vulnerability in Abandoned Cart Lite for WooCommerce WordPress Plugin