一、 漏洞 CVE-2023-2986 基础信息
漏洞信息
                                        # N/A

## 概述
Abandoned Cart Lite for WooCommerce 插件存在身份验证绕过漏洞,影响版本至 5.14.2。该漏洞是由于在解码废弃购物车链接时对用户信息加密不足导致的。未认证攻击者可以利用该漏洞以废弃购物车的用户,通常是顾客,的身份登录。

## 影响版本
- 5.14.2 及之前的版本

## 细节
在废弃购物车链接解码过程中,对用户信息的加密不足,导致身份验证被绕过。在 5.15.1 版本中,引入了额外的安全强化措施,确保过去的结账链接不再可以被利用。5.15.2 版本中进一步加强了安全措施,防止使用空密钥值进行身份验证绕过。

## 影响
未认证攻击者可以冒充废弃购物车的用户登录,这可能涉及用户信息泄露和未经授权的访问。
提示
尽管我们采用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。
神龙会尽力确保数据准确,但也请结合实际情况进行甄别与判断。
神龙祝您一切顺利!
漏洞标题
N/A
来源:美国国家漏洞数据库 NVD
漏洞描述信息
The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.14.2. This is due to insufficient encryption on the user being supplied during the abandoned cart link decode through the plugin. This allows unauthenticated attackers to log in as users who have abandoned the cart, who are typically customers. Further security hardening was introduced in version 5.15.1 that ensures sites are no longer vulnerable through historical check-out links, and additional hardening was introduced in version 5.15.2 that ensured null key values wouldn't permit the authentication bypass.
来源:美国国家漏洞数据库 NVD
CVSS信息
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
来源:美国国家漏洞数据库 NVD
漏洞类别
N/A
来源:美国国家漏洞数据库 NVD
漏洞标题
WordPress Plugin Abandoned Cart Lite for WooCommerce 安全漏洞
来源:中国国家信息安全漏洞库 CNNVD
漏洞描述信息
WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin Abandoned Cart Lite for WooCommerce 5.14.2及之前版本存在安全漏洞。攻击者利用该漏洞以abandoned the cart的用户身份登录。
来源:中国国家信息安全漏洞库 CNNVD
CVSS信息
N/A
来源:中国国家信息安全漏洞库 CNNVD
漏洞类别
其他
来源:中国国家信息安全漏洞库 CNNVD
二、漏洞 CVE-2023-2986 的公开POC
# POC 描述 源链接 神龙链接
1 Proof of Concept for vulnerability CVE-2023-2986 in 'Abandoned Cart Lite for WooCommerce' Plugin in WordPress https://github.com/Ayantaker/CVE-2023-2986 POC详情
2 Proof of Concept for vulnerability CVE-2023-2986 in 'Abandoned Cart Lite for WooCommerce' Plugin in WordPress in Python Version https://github.com/Alucard0x1/CVE-2023-2986 POC详情
3 The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.14.2. This is due to insufficient encryption on the user being supplied during the abandoned cart link decode through the plugin. This allows unauthenticated attackers to log in as users who have abandoned the cart, who are typically customers. Further security hardening was introduced in version 5.15.1 that ensures sites are no longer vulnerable through historical check-out links, and additional hardening was introduced in version 5.15.2 that ensured null key values wouldn't permit the authentication bypass. https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-2986.yaml POC详情
4 The Abandoned Cart Lite for WooCommerce plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.14.2. This is due to insufficient encryption on the user being supplied during the abandoned cart link decode through the plugin. This allows unauthenticated attackers to log in as users who have abandoned the cart, who are typically customers. Further security hardening was introduced in version 5.15.1 that ensures sites are no longer vulnerable through historical check-out links, and additional hardening was introduced in version 5.15.2 that ensured null key values wouldn't permit the authentication bypass. https://github.com/projectdiscovery/nuclei-templates/blob/main/code/cves/2023/CVE-2023-2986.yaml POC详情
三、漏洞 CVE-2023-2986 的情报信息
四、漏洞 CVE-2023-2986 的评论

暂无评论

发表评论