The vulnerability is a classic Cross‑Site Request Forgery flaw (CWE‑352) in the Recover abandoned cart for WooCommerce plugin, allowing an attacker to forge requests that are executed with the privileges of an authenticated user. The flaw does not grant remote code execution but can be used to manipulate cart or order data, potentially leading to financial loss or data tampering. The CVSS score of 4.3 reflects a moderate impact but limited scope. Based on the description, the typical CSRF injection requires an attacker to host a malicious page that lures the victim, while the victim is logged into the site, to automatically submit a forged request to the plugin’s endpoint.

The affected product is the Recover abandoned cart for WooCommerce plugin by sonalsinha21, versions up to and including 2.2. This WordPress plugin is commonly installed on e‑commerce sites that rely on WooCommerce to handle abandoned cart functionality.

The likely attack vector is inferred from standard CSRF mechanics; an attacker would need a user authenticated to the target site and must trick them into visiting a malicious page that automatically submits a forged request to the plugin’s endpoint. The EPSS score of less than 1% indicates a very low likelihood of exploitation in the wild. The vulnerability is not listed in CISA’s KEV catalog. The risk level is moderate due to the need for user authentication and the potential impact on e‑commerce operations.