WordPress Plugin Vulnerabilities

Abandoned Cart Lite for WooCommerce < 5.16.2 - Missing Authorization via multiple AJAX functions

Description

The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to missing capability checks on multiple AJAX functions in versions up to, and including, 5.16.1. This makes it possible for authenticated attackers, with subscriber-level access and above, to dismiss admin notifications, toggle templates, view abandoned cart details, and preview emails.

Affects Plugins

Plugin icon
woocommerce-abandoned-cart
Fixed in 5.16.2

References

CVE
CVE-2023-41671
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/51cfe955-f854-4f88-a009-93f92ae13d86

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.4 (medium)

Miscellaneous

Original Researcher
Mika
Verified
No
WPVDB ID
1e712c25-24f0-42aa-9442-7a2077d499b8

Timeline

Publicly Published
2023-11-28 (about 2 years ago)
Added
2023-12-08 (about 2 years ago)
Last Updated
2024-01-22 (about 2 years ago)

Other

Published
Title
Published
2025-11-03
Title
All in One Time Clock Lite – Tracking Employee Time Has Never Been Easier < 2.0.4 - Missing Authorization to Page Creation and Information Exposure
Published
2026-02-02
Title
Booktics < 1.0.17 - Missing Authorization
Published
2026-02-03
Title
BizReview <= 1.5.14 - Missing Authorization
Published
2026-03-20
Title
RegistrationMagic – Custom Registration Forms, User Registration, Payment, and User Login < 6.0.7.7 - Missing Authorization
Published
2026-02-20
Title
Team < 5.0.14 - Missing Authorization