Wordfence Threat Intelligence team identified an Authentication Bypass vulnerability in Tyche Softwares’s Abandoned Cart Lite for WooCommerce plugin, which is actively installed on more than 30,000 WordPress websites.

This vulnerability makes it possible for an attacker to gain access to the accounts of users who have abandoned their carts, who are typically customers but can extend to other high-level users when the right conditions are met.

The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.14.2. This is due to insufficient encryption on the user being supplied during the abandoned cart link decode through the plugin. This allows unauthenticated attackers to log in as users who have abandoned the cart, who are typically customers.

Technical Analysis

The Abandoned Cart Lite for WooCommerce plugin, according to its settings, sends a notification to customers who have not completed the purchase process, and who have, in other words, abandoned their cart. The notification contains a link that automatically logs in to the customer to continue their purchase. Examining the code reveals that the link contains an encrypted value, which identifies the abandoned cart.

Buy Me A Coffee
$validate_server_string = isset( $_GET ['validate'] ) ? rawurldecode( wp_unslash( $_GET ['validate'] ) ) : '';
$validate_server_string = str_replace( ' ', '+', $validate_server_string );
$validate_encoded_string = $validate_server_string;
$crypt_key = get_option( 'wcal_security_key' );
$link_decode = Wcal_Aes_Ctr::decrypt( $validate_encoded_string, $crypt_key, 256 );
$sent_email_id_pos = strpos( $link_decode, '&' );
$email_sent_id = substr( $link_decode, 0, $sent_email_id_pos );

The link only works if it contains the properly encrypted value, which requires the encryption key to create. However, we found that the encryption key is hardcoded in the plugin, which means that threat actors also have access to it. Due to this, it is possible to create a link using the key that includes the abandoned cart identifier of other users, since each cart identifier is a sequentially increasing number starting from one.

$get_ac_id_results = $wpdb->get_results(
    $wpdb->prepare(
        'SELECT abandoned_order_id FROM `' . $wpdb->prefix . 'ac_sent_history_lite` WHERE id = %d',
        $email_sent_id
    )
);
$abandoned_id      = $get_ac_id_results[0]->abandoned_order_id;
$get_user_results = array();
if ( $abandoned_id > 0 ) {
    $get_user_results  = $wpdb->get_results( //phpcs:ignore
        $wpdb->prepare(
            'SELECT user_id FROM `' . $wpdb->prefix . 'ac_abandoned_cart_history_lite` WHERE id = %d',
            $abandoned_id
        )
    );
}
$user_id = isset( $get_user_results ) && count( $get_user_results ) > 0 ? (int) $get_user_results[0]->user_id : 0;
wp_set_auth_cookie( $user_id );

An attacker is limited to what users they can log in to due to the fact that it is only possible to log in as a user with an abandoned cart. Considering the requirement of an abandoned cart, in most cases an attacker will only be able to log in as a customer-level user.

READ
Fujitsu Confirms Customer Data Exposed in March Cyberattack