Description
Missing Authorization vulnerability in FantasticPlugins WooCommerce Recover Abandoned Cart rac allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Recover Abandoned Cart: from n/a through <= 24.6.0.
Published: 2025-12-18
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization in the WooCommerce Recover Abandoned Cart plugin allows an attacker to delete arbitrary content, compromising data integrity. The flaw arises from incorrectly configured access control levels, enabling unauthorized users to issue deletion requests. This could lead to loss of customer information and store content.

Affected Systems

The vulnerability affects the FantasticPlugins WooCommerce Recover Abandoned Cart plugin for all releases up to and including version 24.6.0. Users who have installed any affected version on their WordPress sites are susceptible.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity, while the EPSS score below 1% suggests a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog. Based on the nature of the vulnerability, the likely attack vector is remote exploitation through a web request, although the description does not specify precise prerequisites.

Generated by OpenCVE AI on April 29, 2026 at 18:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the WooCommerce Recover Abandoned Cart plugin to a released version newer than 24.6.0.
  • Reconfigure the plugin’s access control settings to limit content deletion privileges to administrators only.
  • If an immediate update is not possible, remove or disable the plugin to eliminate the deletion capability until a patch is applied.

Generated by OpenCVE AI on April 29, 2026 at 18:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Fantasticplugins
Fantasticplugins woocommerce Recover Abandoned Cart
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress
Vendors & Products Fantasticplugins
Fantasticplugins woocommerce Recover Abandoned Cart
Woocommerce
Woocommerce woocommerce
Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in FantasticPlugins WooCommerce Recover Abandoned Cart rac allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Recover Abandoned Cart: from n/a through <= 24.6.0.
Title WordPress WooCommerce Recover Abandoned Cart plugin <= 24.6.0 - Arbitrary Content Deletion vulnerability
Weaknesses CWE-862
References

Subscriptions

Fantasticplugins Woocommerce Recover Abandoned Cart
Woocommerce Woocommerce
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:11.567Z

Reserved: 2025-10-29T03:08:02.189Z

Link: CVE-2025-64222

cve-icon Vulnrichment

Updated: 2025-12-18T20:26:31.109Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:12.033

Modified: 2026-04-27T16:16:35.397

Link: CVE-2025-64222

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:00:06Z

Weaknesses