CVE-2023-2986

CRITICAL EXPLOITED NUCLEI

Abandoned Cart Lite for WooCommerce <= 5.14.2 - Unauthenticated Authentication Bypass via Insufficient Encryption

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2023-2986 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 2 public exploits from researchers including Ayantaker, Alucard0x1. A Nuclei detection template is also available.

AI-analyzed exploit summary This repository contains a functional proof-of-concept exploit for CVE-2023-2986, an authentication bypass vulnerability in the 'Abandoned Cart Lite for WooCommerce' WordPress plugin. The PoC enumerates cart IDs to generate authentication bypass URLs, allowing unauthorized access to user accounts, including potential admin access.

Description

The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.14.2. This is due to insufficient encryption on the user being supplied during the abandoned cart link decode through the plugin. This allows unauthenticated attackers to log in as users who have abandoned the cart, who are typically customers. Further security hardening was introduced in version 5.15.1 that ensures sites are no longer vulnerable through historical check-out links, and additional hardening was introduced in version 5.15.2 that ensured null key values wouldn't permit the authentication bypass.

Exploits (2)

nomisec WORKING POC 6 stars
by Ayantaker · remote
https://github.com/Ayantaker/CVE-2023-2986

This repository contains a functional proof-of-concept exploit for CVE-2023-2986, an authentication bypass vulnerability in the 'Abandoned Cart Lite for WooCommerce' WordPress plugin. The PoC enumerates cart IDs to generate authentication bypass URLs, allowing unauthorized access to user accounts, including potential admin access.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Abandoned Cart Lite for WooCommerce < 5.15.2
No auth needed
Prerequisites: Target WordPress site with vulnerable plugin installed · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by Alucard0x1 · remote
https://github.com/Alucard0x1/CVE-2023-2986

This PoC exploits an authentication bypass vulnerability in the 'Abandoned Cart Lite for WooCommerce' WordPress plugin by crafting a malicious URL with an encrypted payload. It enumerates cart IDs and attempts to bypass authentication using a hardcoded or empty encryption key.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Moderate
Reliability
Reliable
Target: Abandoned Cart Lite for WooCommerce (WordPress plugin)
No auth needed
Prerequisites: Target WordPress site with vulnerable plugin installed · Network access to the target
devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Abandoned Cart Lite for WooCommerce - Authentication Bypass
CRITICALVERIFIEDby iamnoooob,pdresearch
FOFA: body="/wp-content/plugins/woocommerce-abandoned-cart/"

References (8)

Core 8
Core References

Scores

CVSS v3 9.8
EPSS 0.4350
EPSS Percentile 98.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

VulnCheck KEV 2023-06-23
CWE
CWE-288
Status published
Products (2)
tychesoftwares/Abandoned Cart Lite for WooCommerce < 5.15.1
tychesoftwares/abandoned_cart_lite_for_woocommerce < 5.14.2
Published Jun 08, 2023
Tracked Since Feb 18, 2026