WordPress Plugin Vulnerabilities

Abandoned Cart Lite for WooCommerce < 5.16.1 - Improper Authorization via wcal_delete_expired_used_coupon_code

Description

The plugin is vulnerable to unauthorized access of data due to a missing capability check on the wcal_delete_expired_used_coupon_code function.
This makes it possible for unauthenticated attackers to preview emails, granted they are able to obtain a nonce via a separate vulnerability.

Affects Plugins

Plugin icon
woocommerce-abandoned-cart
Fixed in 5.16.1

References

URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/52d1f9a3-243e-4e2c-a752-f40b6d275121

Classification

Type
INCORRECT AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-863
CVSS
3.1 (low)

Miscellaneous

Verified
No
WPVDB ID
dd9186f6-41d6-4a1c-93c4-3fd53871c734

Timeline

Publicly Published
2023-11-21 (about 2 years ago)
Added
2024-01-26 (about 2 years ago)
Last Updated
2024-01-26 (about 2 years ago)

Other

Published
Title
Published
2022-11-21
Title
WPTools < 3.43 - Subscriber+ Arbitrary Plugin Installation
Published
2023-02-09
Title
WPCode < 2.0.7 - Contributor+ WPCode Library Auth Key Update/Deletion
Published
2025-07-01
Title
Soumettre.fr <= 2.1.5 - Unauthenticated Soumettre Posts Creation/Modification/Deletion
Published
2023-11-16
Title
Jetpack < 12.7 - Improper Authorization via WPCom External Media REST endpoints
Published
2022-05-09
Title
Change wp-admin Login < 1.1.0 - Unauthenticated Arbitrary Settings Update