Description
The WooCommerce Recover Abandoned Cart plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 24.4.0 via deserialization of untrusted input from the 'raccookie_guest_email' cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Published: 2025-03-05
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Potential code execution via PHP Object Injection
Action: Upgrade Plugin
AI Analysis

Impact

The WooCommerce Recover Abandoned Cart plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 24.4.0 because it unserializes untrusted input from the raccookie_guest_email cookie. An unauthenticated attacker can inject a PHP object, but the vulnerability alone does not provide a direct attack vector; it requires a second‑party plugin or theme that contains a PHP Object Poisoning (POP) chain to succeed. If such a chain is present, the attacker could delete arbitrary files, retrieve sensitive data, or execute code, thereby compromising confidentiality, integrity, and potentially availability of the WordPress site.

Affected Systems

The affected product is the WooCommerce Recover Abandoned Cart plugin distributed by FantasticPlugins. All releases up to and including version 24.4.0 are vulnerable. The plugin runs on WordPress installations where it is installed and activated.

Risk and Exploitability

The CVSS score of 8.1 reflects a high severity with medium to high exploitable impact when a POP chain exists. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Attackers would need to craft a malicious raccookie_guest_email cookie and induce its use, typically by directing a visitor’s browser to the site or forging requests. Exploitation is limited to sites that harbor additional vulnerable code; for sites without such code the risk remains theoretical.

Generated by OpenCVE AI on April 28, 2026 at 03:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the WooCommerce Recover Abandoned Cart plugin to version 24.4.1 or later
  • Remove or update any other plugins or themes that may contain PHP Object Poisoning chains
  • If an immediate upgrade is not feasible, uninstall or disable the vulnerable plugin to block the injection vector

Generated by OpenCVE AI on April 28, 2026 at 03:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-6027 The WooCommerce Recover Abandoned Cart plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 24.3.0 via deserialization of untrusted input from the 'raccookie_guest_email' cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
History

Wed, 08 Apr 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-20

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Description The WooCommerce Recover Abandoned Cart plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 24.3.0 via deserialization of untrusted input from the 'raccookie_guest_email' cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present. The WooCommerce Recover Abandoned Cart plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 24.4.0 via deserialization of untrusted input from the 'raccookie_guest_email' cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Title WooCommerce Recover Abandoned Cart <= 24.3.0 - Unauthenticated PHP Object Injection WooCommerce Recover Abandoned Cart <= 24.4.0 - Unauthenticated PHP Object Injection
Weaknesses CWE-502

Wed, 05 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 05 Mar 2025 09:30:00 +0000

Type Values Removed Values Added
Description The WooCommerce Recover Abandoned Cart plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 24.3.0 via deserialization of untrusted input from the 'raccookie_guest_email' cookie. This makes it possible for unauthenticated attackers to inject a PHP Object. No known POP chain is present in the vulnerable software, which means this vulnerability has no impact unless another plugin or theme containing a POP chain is installed on the site. If a POP chain is present via an additional plugin or theme installed on the target system, it may allow the attacker to perform actions like delete arbitrary files, retrieve sensitive data, or execute code depending on the POP chain present.
Title WooCommerce Recover Abandoned Cart <= 24.3.0 - Unauthenticated PHP Object Injection
Weaknesses CWE-20
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:45.919Z

Reserved: 2025-01-31T20:14:55.535Z

Link: CVE-2025-0956

cve-icon Vulnrichment

Updated: 2025-03-05T15:01:35.981Z

cve-icon NVD

Status : Deferred

Published: 2025-03-05T10:15:19.480

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-0956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T03:45:20Z

Weaknesses