Web application security firm Defiant has issued warnings about critical-severity authentication bypass vulnerabilities in two WordPress plugins with substantial installations. The first flaw, CVE-2023-2986, affects the Abandoned Cart Lite for WooCommerce plugin, which has over 30,000 active installations.
This vulnerability enables attackers to create identifiers for other users’ carts, potentially leading to unauthorized access to customer-level and administrator-level accounts, posing a risk of full site compromise. Although a patch has been released in version 5.15.1, numerous websites are yet to apply the fix.
The second vulnerability, CVE-2023-2834, pertains to the BookIt WordPress plugin with over 10,000 active installations. Due to insufficient input checks during appointment booking, an unauthenticated attacker can log in as any existing user by knowing their email address, potentially compromising administrator accounts. The flaw has been addressed in version 2.3.8, but many websites still run the vulnerable version.
Reference:
