CVE-2026-12585 PUBLISHED

Abandoned Cart Lite for WooCommerce < 6.8.2 - Unauthenticated Account Takeover via Malleable Recovery-Link Token

Assigner: WPScan
Reserved: 18.06.2026 Published: 16.07.2026 Updated: 16.07.2026

The Abandoned Cart Lite for WooCommerce WordPress plugin before 6.8.2 does not protect the integrity of its cart-recovery tokens or bind them to the requesting account, allowing unauthenticated attackers to forge a recovery link that logs them in as another user when the automatic-login option is enabled.

Product Status

Vendor Unknown
Product Abandoned Cart Lite for WooCommerce
Versions Default: unaffected
  • affected from 0 to 6.8.2 (excl.)

Credits

  • Shivamani Vastrala finder
  • WPScan coordinator

References

Problem Types

  • CWE-287 Improper Authentication CWE