The Abandoned Cart Pro for WooCommerce plugin contains a critical privilege escalation flaw that allows authenticated subscribers to gain unauthorized administrative control over the WordPress site.

This vulnerability involves an improper capability check, allowing an authenticated user with "subscriber" permissions to perform actions restricted to administrative roles. The flaw resides in the plugin's handling of user permission validation.

A successful exploitation of this vulnerability grants an attacker full administrative access to the WordPress environment. This risk, justified by the 8.8 CVSS score, could lead to complete site compromise, data exfiltration, and the execution of arbitrary code, resulting in severe reputational and operational damage.

Immediate Action: Update the Abandoned Cart Pro for WooCommerce plugin to the latest patched version provided by Tyche.

Proactive Monitoring: Audit user account activity for any unexpected administrative actions or newly created high-privilege accounts.

Compensating Controls: Implement a Web Application Firewall (WAF) with rules configured to block suspicious requests targeting WordPress administrative endpoints.

Public Exploit Available: false

Given the high CVSS score of 8.8, immediate remediation is required to secure the integrity of the affected WordPress instance. Administrators should prioritize updating the plugin and conducting a thorough review of existing user accounts to identify potential unauthorized privilege changes.