CVE-2021-4395: 
WordPress vulnerability analysis and mitigation

The vulnerability CVE-2021-4395 affects the Abandoned Cart Recovery for WooCommerce WordPress plugin versions 1.0.4 and below. This security issue was discovered by Jerome Bruandet and was publicly disclosed on July 5, 2021. The vulnerability is related to Cross-Site Request Forgery (CSRF) protection bypass in the plugin (NinTechNet Blog).

The vulnerability exists due to improper implementation of WordPress nonce verification in the plugin's code. Specifically, in the includes/reports/abandoned-report-table.php file at lines 166 and 341, the nonce verification check is only performed if the '_wpnonce' parameter is present in the GET request. If the parameter is not set, the security check is bypassed entirely. The vulnerability has been assigned a CVSS score of 4.3 (Medium) (Wordfence).

The vulnerability could allow attackers to perform unauthorized actions by bypassing the CSRF protection mechanism. This could potentially lead to unauthorized modifications of plugin settings or data manipulation when an authenticated administrator visits a malicious page (NinTechNet Blog).

Users are advised to update the Abandoned Cart Recovery for WooCommerce plugin to a version newer than 1.0.4, which contains the security fix. If immediate update is not possible, it is recommended to exercise caution when clicking on external links while logged into the WordPress dashboard (NinTechNet Blog).