WordPress Plugin Vulnerabilities

Cart Abandonment Recovery for WooCommerce < 2.1.0 - Shop Manager+ Privilege Escalation

Description

The plugin is vulnerable to Privilege Escalation. This makes it possible for authenticated attackers, with Shop Manager-level access and above, to escalate their privileges to that of an administrator.

Affects Plugins

Plugin icon
woo-cart-abandonment-recovery
Fixed in 2.1.0

References

CVE
CVE-2026-39470
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/868c178f-9389-4da0-8ebb-ee94f025039f

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Nguyen Ba Khanh
Verified
No
WPVDB ID
ebf549c3-b9e5-4a79-8f5e-a587c9b8c1ec

Timeline

Publicly Published
2026-04-08 (about 1 month ago)
Added
2026-04-15 (about 28 days ago)
Last Updated
2026-04-15 (about 28 days ago)

Other

Published
Title
Published
2023-08-08
Title
Biometric Login for WooCommerce < 1.0.4 - Unauthenticated Privilege Escalation
Published
2026-04-27
Title
LatePoint < 5.4.2 - Agent+ Privilege Escalation
Published
2023-11-14
Title
Thrive Theme Builder < 3.24.0 - Subscriber+ Privilege Escalation
Published
2025-03-07
Title
Post Meta Data Manager <= 1.4.4 - Authentciated (Admin+) Multisite Privilege Escalation
Published
2024-02-21
Title
Academy LMS – eLearning and online course solution for WordPress < 1.9.20 - Authenticated (Subscriber+) Privilege Escalation