CVE-2019-25152

The Abandoned Cart Lite for WooCommerce and Abandoned Cart Pro for WooCommerce plugins for WordPress are vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 5.1.3 and 7.12.0 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in user input that will execute on the admin dashboard.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/changeset/2033212	Patch
https://wpscan.com/vulnerability/9229	Third Party Advisory
https://www.wordfence.com/blog/2019/03/xss-flaw-in-abandoned-cart-plugin-leads-to-wordpress-site-takeovers/	Exploit Third Party Advisory
https://www.wordfence.com/threat-intel/vulnerabilities/id/a9cc5c6d-4396-4ebf-8788-f01dd9e9cfbc?source=cve	Third Party Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:tychesoftwares:abandoned_cart_lite_for_woocommerce::::::wordpress::*
	cpe:2.3:a:tychesoftwares:abandoned_cart_pro_for_woocommerce::::::wordpress::*

History

28 Jun 2023, 17:44

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-06-22 02:15

Updated : 2024-02-04 23:37

NVD link : CVE-2019-25152

Mitre link : CVE-2019-25152

CVE.ORG link : CVE-2019-25152

JSON object : View

Products Affected

tychesoftwares

abandoned_cart_pro_for_woocommerce
abandoned_cart_lite_for_woocommerce

CWE

No CWE.

{"id": "CVE-2019-25152", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "security@wordfence.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 3.9}]}, "published": "2023-06-22T02:15:47.730", "references": [{"url": "https://plugins.trac.wordpress.org/changeset/2033212", "tags": ["Patch"], "source": "security@wordfence.com"}, {"url": "https://wpscan.com/vulnerability/9229", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/blog/2019/03/xss-flaw-in-abandoned-cart-plugin-leads-to-wordpress-site-takeovers/", "tags": ["Exploit", "Third Party Advisory"], "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a9cc5c6d-4396-4ebf-8788-f01dd9e9cfbc?source=cve", "tags": ["Third Party Advisory"], "source": "security@wordfence.com"}], "vulnStatus": "Modified", "descriptions": [{"lang": "en", "value": "The Abandoned Cart Lite for WooCommerce and Abandoned Cart Pro for WooCommerce plugins for WordPress are vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 5.1.3 and 7.12.0 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in user input that will execute on the admin dashboard."}], "lastModified": "2023-11-07T03:09:22.440", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tychesoftwares:abandoned_cart_lite_for_woocommerce:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "8931697D-8EC8-4B2A-881B-286B495DCCC0", "versionEndExcluding": "5.2.0"}, {"criteria": "cpe:2.3:a:tychesoftwares:abandoned_cart_pro_for_woocommerce:*:*:*:*:*:wordpress:*:*", "vulnerable": true, "matchCriteriaId": "371B5867-CE38-44E6-9DCD-3FB3DABAE8A5", "versionEndIncluding": "7.12.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@wordfence.com"}