Critical Authentication Bypass Vulnerabilities Found in Popular WordPress Plugins

Cybersecurity researchers from web application security platform Wordfence discovered critical authentication bypass vulnerabilities in two widely used WordPress plugins. The flaws could affect tens of thousands of websites, allowing malicious actors to gain administrator privileges with susceptible plugins.

Both vulnerabilities have a severity score of 9.8/10 on the Common Vulnerability Scoring System (CVSS) and are identified as follows:

• CVE-2023-2986 – Authentication bypass vulnerability affecting the Abandoned Cart Lite for WooCommerce plugin for WordPress, versions up to 5.14.2
• CVE-2023-2834 – Authentication bypass vulnerability affecting the BookItplugin for WordPress, versions up to, and including, 2.3.7

CVE-2023-2986 affects the Abandoned Cart Lite for WooCommerce plugin, commonly used by e-commerce websites to notify customers of unfinished purchases. A key feature of the plugin, an encrypted value identifying shopping carts, was found to be vulnerable to attack.

A loophole allows threat actors to exploit these encrypted values to create identifiers for other abandoned carts. This would let them access not just customer accounts, but also administrator accounts that may be testing the feature, possibly resulting in total control of the website.

This issue was addressed in version 5.15.1 of the Abandoned Cart Lite for the WooCommerce plugin, released on June 13.

The second vulnerability, CVE-2023-2834, pertains to the BookIt plugin that enables WordPress websites to integrate a booking calendar. However, due to inadequate verification measures, it was found that perpetrators could log in as any user, as long as they knew the user's email address.

The plugin links the provided email address to the user ID, setting authentication cookies without verifying passwords. This flaw can lead to unauthorized access to an administrator account if the hacker knows the admin's email address.

This issue was patched in the BookIt plugin’s version 2.3.8, also released on June 13. However, despite the patches being available, WordPress statistics indicate that thousands of websites are still running vulnerable versions of both plugins. Website administrators are urged to update their plugins immediately to mitigate the risks.

Users are reminded to practice good cyber hygiene and stay vigilant, regularly updating software and plugins to the latest versions, and keeping informed about potential security vulnerabilities.