CVE-2023-2986: 
WordPress vulnerability analysis and mitigation

The Abandoned Cart Lite for WooCommerce WordPress plugin contains an authentication bypass vulnerability (CVE-2023-2986) affecting versions up to and including 5.14.2, with subsequent issues discovered in versions 5.15.0 and 5.15.1. The vulnerability was disclosed in June 2023 and was fully patched in version 5.15.2. The plugin, which helps track abandoned shopping carts, was found to have insufficient encryption practices in its cart link decoding process (Wordfence Blog).

The vulnerability stems from insufficient encryption on the user data being supplied during the abandoned cart link decode process through the plugin. The issue received a CVSS v3.1 score of 9.8 (Critical), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating a critical severity level with network access vector and no required privileges or user interaction (NVD).

The vulnerability allows unauthenticated attackers to bypass authentication and log in as users who have abandoned their carts, who are typically customers. If a WordPress admin user has an abandoned cart entry, this could potentially lead to full compromise of the WordPress server (GitHub POC).

The vulnerability was initially addressed in version 5.15.0, but additional security hardening was required in subsequent versions. Version 5.15.1 introduced measures to prevent exploitation through historical checkout links, and version 5.15.2 provided complete remediation by ensuring null key values wouldn't permit the authentication bypass. Users are strongly advised to update to version 5.15.2 or later (GitHub Discussion).