CVE-2024-2322

The WooCommerce Cart Abandonment Recovery WordPress plugin before 1.2.27 does not have CSRF check in its bulk actions, which could allow attackers to make logged in admins delete arbitrary email templates as well as delete and unsubscribe users from abandoned orders via CSRF attacks.

CVSS v3 6.8 MEDIUM

6.8^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 0.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://wpscan.com/vulnerability/c740ed3b-d6b8-4afc-8c6b-a1ec37597055/	Exploit Third Party Advisory
https://wpscan.com/vulnerability/c740ed3b-d6b8-4afc-8c6b-a1ec37597055/	Exploit Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cartflows:woocommerce_cart_abandonment_recovery:*:*:*:*:*:wordpress:*:*

History

No history.

Information

Published : 2024-04-03 05:15

Updated : 2025-04-07 14:19

NVD link : CVE-2024-2322

Mitre link : CVE-2024-2322

CVE.ORG link : CVE-2024-2322

JSON object : View

Products Affected

cartflows

woocommerce_cart_abandonment_recovery

CWE

CWE-352

Cross-Site Request Forgery (CSRF)

6.8 /10