Description
Unauthenticated Cross Site Request Forgery (CSRF) in Abandoned Cart Lite for WooCommerce <= 6.8.0 versions.
Published: 2026-06-26
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Cross‑Site Request Forgery that allows any website to cause a logged‑in user to perform actions through the Abandoned Cart Lite plugin. Because the plugin accepts GET requests without token verification, an attacker can trigger execution of plugin functions such as adding emails or manipulating cart data. This could allow data modification or unintended email notifications, compromising the confidentiality and integrity of the site.

Affected Systems

TycheSoftwares' Abandoned Cart Lite for WooCommerce plugin, WordPress sites running any version of the plugin up to and including 6.8.0.

Risk and Exploitability

The CVSS base score of 4.3 places this in the moderate risk range. EPSS not available and the issue is not listed in KEV, indicating that there is no verified exploitation yet. Because the flaw is unauthenticated and only requires the victim to visit a crafted URL, the attack vector is relatively easy. Attackers can create a malicious link and lure a logged‑in user to click it, or embed it in a phishing page. Exploitation complexity is low; once the target user performs the request, the privileged action is executed.

Generated by OpenCVE AI on June 26, 2026 at 16:55 UTC.

Remediation

Vendor Solution

Update the WordPress Abandoned Cart Lite for WooCommerce Plugin to the latest available version (at least 6.8.1).

OpenCVE Recommended Actions

  • Upgrade the Abandoned Cart Lite for WooCommerce plugin to version 6.8.1 or later
  • Temporarily disable the plugin's cart‑abandonment email features or any other critical functionality until the update can be applied
  • Add a web‑application firewall rule or use a security plugin to require CSRF tokens for all POST requests to the plugin’s endpoints, and enforce SameSite=Lax or Strict cookie attributes

Generated by OpenCVE AI on June 26, 2026 at 16:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 26 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated Cross Site Request Forgery (CSRF) in Abandoned Cart Lite for WooCommerce <= 6.8.0 versions.
Title WordPress Abandoned Cart Lite for WooCommerce plugin <= 6.8.0 - Cross Site Request Forgery (CSRF) vulnerability
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-26T16:37:47.268Z

Reserved: 2026-06-25T08:03:17.055Z

Link: CVE-2026-57637

cve-icon Vulnrichment

Updated: 2026-06-26T16:37:40.845Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T17:00:04Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)