Skip to main content

Public advisory of scammers impersonating CSA and the SPF

Stay vigilant. Read the public advisory

Cyber Security Agency of Singapore
  1. Home
  2. Alerts & Advisories
  3. Alerts
  4. Critical Vulnerabilities in WordPress Plugins
Alerts

Critical Vulnerabilities in WordPress Plugins

23 June 2023

WordPress has released security updates to address two critical vulnerabilities (CVE-2023-2986 and CVE-2023-2834) in their plugins. Both vulnerabilities have a Common Vulnerability Scoring System (CVSSv3) score of 9.8 out of 10.

The vulnerabilities are:

  • CVE-2023-2986: An authentication bypass vulnerability that could allow unauthenticated attackers to log in as users who have abandoned the cart.

  • CVE-2023-2834: An authentication bypass vulnerability that could allow an unauthenticated attacker to gain access to any user account on the site, including the administrator account, if the email address is known.

The vulnerabilities and the corresponding affected plugins are:

  • CVE-2023-2986: Abandoned Cart Lite for WooCommerce plugin versions 5.14.2 and earlier

  • CVE-2023-2834: BookIt plugin versions 2.3.7 and earlier

Users and administrators of websites using affected plugins are advised to upgrade their plugins to the latest versions immediately.

More information is available here:
https://www.tenable.com/cve/CVE-2023-2986
https://www.securityweek.com/critical-wordpress-plugin-vulnerabilities-impact-thousands-of-sites/
https://www.wordfence.com/blog/2023/06/tyche-softwares-addresses-authentication-bypass-vulnerability-in-abandoned-cart-lite-for-woocommerce-wordpress-plugin/
https://nvd.nist.gov/vuln/detail/CVE-2023-2986
https://packetstormsecurity.com/files/cve/CVE-2023-2834
https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/bookit/bookit-237-authentication-bypass

Back to top