WP-Safety

Abandoned Cart Lite for WooCommerce Security & Risk Analysis

wordpress.org/plugins/woocommerce-abandoned-cart

Track abandoned carts and send automated, customizable abandoned cart recovery emails. Reduce cart abandonment, recover lost revenue & increase sales.

20K active installs v6.7.0 PHP 7.3+ WP 6.3+ Updated Mar 23, 2026
cart-abandonment-ratecart-abandonment-recoverycart-abandonment-solutionswoocommerce-cart-abandonmentwoocommerce-cart-abandonment-recovery
93
A · Safe
CVEs total12
Unpatched0
Last CVEDec 1, 2023
Plugin page Download
Safety Verdict

Is Abandoned Cart Lite for WooCommerce Safe to Use in 2026?

Generally Safe

Score 93/100

Abandoned Cart Lite for WooCommerce has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

12 known CVEsLast CVE: Dec 1, 2023Updated 1mo ago
Risk Assessment

The "woocommerce-abandoned-cart" plugin exhibits a mixed security posture. While it demonstrates good practices in SQL query preparation (75%) and output escaping (93%), significant concerns arise from its attack surface and historical vulnerability trends.

The static analysis reveals 11 entry points, with 2 AJAX handlers lacking authentication checks. This is a critical oversight, potentially allowing unauthorized users to trigger plugin functionalities. Furthermore, 7 out of 15 analyzed taint flows have unsanitized paths, with all 7 classified as high severity. This indicates a substantial risk of data manipulation or execution of unintended code due to improperly handled user input.

The plugin's history of 12 known CVEs, including 2 critical and 2 high severity vulnerabilities, is concerning. The prevalence of Cross-Site Request Forgery (CSRF), Missing Authorization, and SQL Injection vulnerabilities suggests recurring weaknesses in input validation and access control. The most recent vulnerability in December 2023, even if currently patched, highlights an ongoing pattern of exploitable flaws. While the absence of currently unpatched CVEs is a positive sign, the historical data and identified code-level risks necessitate caution.

Key Concerns

  • 2 AJAX handlers without auth checks
  • 7 High severity taint flows with unsanitized paths
  • 2 critical CVEs historically
  • 2 high CVEs historically
  • Dangerous function: unserialize
  • External HTTP requests (potential for SSRF)
Vulnerabilities
12 published

Abandoned Cart Lite for WooCommerce Security Vulnerabilities

CVEs by Year

1 CVE in 2015
2015
1 CVE in 2019
2019
1 CVE in 2020
2020
1 CVE in 2021
2021
8 CVEs in 2023
2023
Patched Has unpatched

Severity Breakdown

Critical
2
High
2
Medium
6
Low
2

12 total CVEs

WF-1ce1316b-674a-4436-968f-9ffca4e8f726-woocommerce-abandoned-cartmedium · 5.3Cross-Site Request Forgery (CSRF)

Abandoned Cart Lite for WooCommerce <= 5.16.1 - Cross-Site Request Forgery

Dec 1, 2023 Patched in 5.16.2 (53d)
CVE-2023-41671medium · 5.4Missing Authorization

Abandoned Cart Lite for WooCommerce <= 5.16.1 - Missing Authorization via multiple AJAX functions

Nov 28, 2023 Patched in 5.16.2 (56d)
WF-4edbfeee-b668-4a85-a030-c15d6583dc82-woocommerce-abandoned-cartlow · 3.7Improper Authorization

Abandoned Cart Lite for WooCommerce <= 5.16.0 - Improper Authorization via wcal_preview_emails

Nov 21, 2023 Patched in 5.16.1 (63d)
WF-52d1f9a3-243e-4e2c-a752-f40b6d275121-woocommerce-abandoned-cartlow · 3.1Improper Authorization

Abandoned Cart Lite for WooCommerce <= 5.16.0 - Improper Authorization via wcal_delete_expired_used_coupon_code

Nov 21, 2023 Patched in 5.16.1 (63d)
CVE-2023-44986medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Abandoned Cart Lite for WooCommerce <= 5.15.2 - Authenticated (Administrator+) Stored Cross-Site Scripting

Oct 2, 2023 Patched in 5.16.0 (113d)
CVE-2023-2986critical · 9.8Authentication Bypass Using an Alternate Path or Channel

Abandoned Cart Lite for WooCommerce <= 5.15.1 - Authentication Bypass

Jun 6, 2023 Patched in 5.15.2 (231d)
WF-a1e51a99-f5d4-47d4-bead-00ca1f5f72c2-woocommerce-abandoned-cartmedium · 4.3Cross-Site Request Forgery (CSRF)

Abandoned Cart Lite for WooCommerce <= 5.14.1 - Cross-Site Request Forgery via delete_expired_used_coupon_code

May 22, 2023 Patched in 5.14.2 (246d)
WF-e743e656-2dd9-43ed-a190-b03af7c75c54-woocommerce-abandoned-cartmedium · 4.3Cross-Site Request Forgery (CSRF)

Abandoned Cart Lite for WooCommerce <= 5.14.1 - Cross-Site Request Forgery via ts_reset_tracking_setting

May 22, 2023 Patched in 5.14.2 (246d)
CVE-2021-4414medium · 4.3Cross-Site Request Forgery (CSRF)

Abandoned Cart Lite for WooCommerce <= 5.8.5 - Cross-Site Request Forgery Bypass

Mar 1, 2021 Patched in 5.8.6 (1058d)
WF-562d0052-7f1a-441b-9ff7-1c8bcb4b74b4-woocommerce-abandoned-cartcritical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Abandoned Cart Lite for WooCommerce <= 5.8.2 - SQL Injection

Nov 8, 2020 Patched in 5.8.3 (1171d)
CVE-2019-25152high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Abandoned Cart Lite for WooCommerce < 5.2.0 and Abandoned Cart Pro for WooCommerce < 7.13.0 - Stored Cross-Site Scripting

Mar 11, 2019 Patched in 5.2.0 (1779d)
WF-00243844-a2ec-42fd-84d9-03e89619e361-woocommerce-abandoned-carthigh · 8.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Abandoned Cart Lite for WooCommerce < 1.9 - SQL Injection

Jul 15, 2015 Patched in 1.9 (3114d)
Version History

Abandoned Cart Lite for WooCommerce Release Timeline

v6.7.0Current
v6.6.0
v6.5.0
v6.4.0
v6.3.0
v6.2.0
v6.1.1
v6.1.0
v6.0.1
v6.0.0v6.0.0
v5.20.0
v5.19.0
v5.18.0
v5.17.0
v5.16.2
v5.16.12 CVEs
WF-1ce1316b-674a-4436-968f-9ffca4e8f726-woocommerce-abandoned-cart CVE-2023-41671
v5.16.04 CVEs
WF-1ce1316b-674a-4436-968f-9ffca4e8f726-woocommerce-abandoned-cart WF-4edbfeee-b668-4a85-a030-c15d6583dc82-woocommerce-abandoned-cart CVE-2023-41671 +1 more
v5.15.25 CVEs
WF-1ce1316b-674a-4436-968f-9ffca4e8f726-woocommerce-abandoned-cart WF-4edbfeee-b668-4a85-a030-c15d6583dc82-woocommerce-abandoned-cart CVE-2023-41671 +2 more
v5.15.16 CVEs
WF-1ce1316b-674a-4436-968f-9ffca4e8f726-woocommerce-abandoned-cart WF-4edbfeee-b668-4a85-a030-c15d6583dc82-woocommerce-abandoned-cart CVE-2023-41671 +3 more
v5.15.06 CVEs
WF-1ce1316b-674a-4436-968f-9ffca4e8f726-woocommerce-abandoned-cart WF-4edbfeee-b668-4a85-a030-c15d6583dc82-woocommerce-abandoned-cart CVE-2023-41671 +3 more
Code Analysis
Analyzed Mar 16, 2026

Abandoned Cart Lite for WooCommerce Code Analysis

Dangerous Functions
4
Raw SQL Queries
96
283 prepared
Unescaped Output
49
636 escaped
Nonce Checks
15
Capability Checks
12
File Operations
0
External Requests
2
Bundled Libraries
0

Dangerous Functions Found

unserialize$rarr = unserialize( $role ); // phpcs:ignoreincludes\class-wcal-common.php:465
unserialize$coupon_product_categories = isset( $coupon_post_meta['product_categories'][0] ) && '' !== $coupon_pincludes\class-wcal-common.php:607
unserialize$coupon_exculde_product_categories = isset( $coupon_post_meta['exclude_product_categories'][0] ) && includes\class-wcal-common.php:609
unserialize$coupon_brand = isset( $coupon_post_meta['brand'][0] ) && '' !== $coupon_post_meta['brand'][0] ? unsincludes\class-wcal-common.php:634

SQL Query Safety

75% prepared379 total queries

Output Escaping

93% escaped685 total outputs
Data Flows · Security
7 unsanitized

Data Flow Analysis

15 flows7 with unsanitized paths
save_data (includes\class-wcal-guest-ac.php:163)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

Abandoned Cart Lite for WooCommerce Attack Surface

Entry Points11
Unprotected2

AJAX Handlers 11

noprivwp_ajax_wcal_gdpr_refusedincludes\class-wcal-guest-ac.php:28
noprivwp_ajax_save_dataincludes\class-wcal-guest-ac.php:43
authwp_ajax_wcal_gdpr_refusedincludes\class-wcal-tracking-msg.php:28
authwp_ajax_tyche_plugin_deactivation_submit_actionincludes\component\plugin-deactivation\class-tyche-plugin-deactivation.php:93
authwp_ajax_wcal_dismiss_upgrade_to_proincludes\component\upgrade-to-pro\ts-upgrade-to-pro.php:130
authwp_ajax_wcal_preview_email_sentwoocommerce-ac.php:246
authwp_ajax_wcal_toggle_template_statuswoocommerce-ac.php:247
authwp_ajax_wcal_abandoned_cart_infowoocommerce-ac.php:248
authwp_ajax_wcal_dismiss_admin_noticewoocommerce-ac.php:249
authwp_ajax_wcal_json_find_couponswoocommerce-ac.php:252
authwp_ajax_wcal_delete_expired_used_coupon_codewoocommerce-ac.php:271
WordPress Hooks 89
actionwcap_send_admin_notificationcron\class-wcal-admin-notification.php:26
actionplugins_loadedcron\class-wcal-admin-notification.php:27
filterwp_privacy_personal_data_erasersincludes\admin\class-wcal-personal-data-eraser.php:30
filterwp_privacy_personal_data_exportersincludes\admin\class-wcal-personal-data-export.php:30
filterts_tracker_dataincludes\class-wcal-data-tracking.php:30
actionadmin_footerincludes\class-wcal-data-tracking.php:31
actionwcal_init_tracker_completedincludes\class-wcal-data-tracking.php:33
filterwcal_ts_tracker_display_noticeincludes\class-wcal-data-tracking.php:34
filterwcal_ts_tracker_dataincludes\class-wcal-data-tracking.php:35
filterts_tracker_opt_out_dataincludes\class-wcal-data-tracking.php:36
actionwoocommerce_after_checkout_billing_formincludes\class-wcal-guest-ac.php:25
actionwfacp_footer_before_print_scriptsincludes\class-wcal-guest-ac.php:26
actioninitincludes\class-wcal-guest-ac.php:27
filterwoocommerce_checkout_fieldsincludes\class-wcal-guest-ac.php:29
actionwp_footerincludes\class-wcal-guest-ac.php:30
actionwoocommerce_blocks_loadedincludes\class-wcal-guest-ac.php:31
actionwoocommerce_blocks_checkout_block_registrationincludes\class-wcal-guest-ac.php:496
actionwoocommerce_ac_send_email_actionincludes\class-wcal-process-base.php:20
actionwcal_webhook_initiatedincludes\class-wcal-process-base.php:23
actionwoocommerce_after_add_to_cart_buttonincludes\class-wcal-tracking-msg.php:27
filterwoocommerce_webhook_topicsincludes\class-wcal-webhooks.php:27
filterwoocommerce_webhook_topic_hooksincludes\class-wcal-webhooks.php:28
filterwoocommerce_valid_webhook_resourcesincludes\class-wcal-webhooks.php:29
filterwoocommerce_valid_webhook_eventsincludes\class-wcal-webhooks.php:30
filterwoocommerce_webhook_payloadincludes\class-wcal-webhooks.php:31
filterwoocommerce_webhook_deliver_asyncincludes\class-wcal-webhooks.php:32
actionwcal_cart_recoveredincludes\class-wcal-webhooks.php:34
actionwcap_webhook_after_cutoffincludes\class-wcal-webhooks.php:35
actionadmin_menuincludes\component\faq-support\ts-faq-support.php:92
actionadmin_headincludes\component\faq-support\ts-faq-support.php:93
actionadmin_print_scripts-plugins.phpincludes\component\plugin-deactivation\class-tyche-plugin-deactivation.php:92
actionadmin_noticesincludes\component\plugin-tracking\class-tyche-plugin-tracking.php:81
filtercron_schedulesincludes\component\plugin-tracking\class-tyche-plugin-tracking.php:82
actionadmin_initincludes\component\plugin-tracking\class-tyche-plugin-tracking.php:83
actionadmin_noticesincludes\component\pro-notices-in-lite\ts-pro-notices.php:66
actionadmin_initincludes\component\pro-notices-in-lite\ts-pro-notices.php:67
actionadmin_noticesincludes\component\upgrade-to-pro\ts-upgrade-to-pro.php:125
actionadmin_enqueue_scriptsincludes\component\upgrade-to-pro\ts-upgrade-to-pro.php:129
actionadmin_initincludes\component\woocommerce-check\ts-woo-active.php:44
actionadmin_noticesincludes\component\woocommerce-check\ts-woo-active.php:55
filterwoocommerce_order_details_after_order_tableincludes\frontend\class-wcal-checkout-process.php:27
actionwoocommerce_order_status_changedincludes\frontend\class-wcal-checkout-process.php:29
actionwoocommerce_order_status_changedincludes\frontend\class-wcal-checkout-process.php:30
actionwoocommerce_checkout_order_processedincludes\frontend\class-wcal-checkout-process.php:32
actionwoocommerce_store_api_checkout_update_order_from_requestincludes\frontend\class-wcal-checkout-process.php:33
filterwoocommerce_payment_complete_order_statusincludes\frontend\class-wcal-checkout-process.php:34
actionadmin_noticeswoocommerce-ac.php:198
actioninitwoocommerce-ac.php:200
actionadmin_menuwoocommerce-ac.php:206
actionbefore_woocommerce_initwoocommerce-ac.php:207
actionwoocommerce_add_to_cartwoocommerce-ac.php:210
actionwoocommerce_cart_item_removedwoocommerce-ac.php:211
actionwoocommerce_cart_item_restoredwoocommerce-ac.php:212
actionwoocommerce_after_cart_item_quantity_updatewoocommerce-ac.php:213
actionwoocommerce_calculate_totalswoocommerce-ac.php:214
filterwcal_block_crawlerswoocommerce-ac.php:216
actionadmin_initwoocommerce-ac.php:218
actionadmin_initwoocommerce-ac.php:221
actionwcal_update_dbwoocommerce-ac.php:222
actionadmin_initwoocommerce-ac.php:225
actioninitwoocommerce-ac.php:228
actioninitwoocommerce-ac.php:230
filtertemplate_includewoocommerce-ac.php:233
actiontemplate_includewoocommerce-ac.php:236
actionadmin_enqueue_scriptswoocommerce-ac.php:238
actionadmin_enqueue_scriptswoocommerce-ac.php:239
actionwcal_clear_cartswoocommerce-ac.php:242
filterpre_update_option_wcal_auto_login_userswoocommerce-ac.php:250
actionadmin_initwoocommerce-ac.php:259
actioninitwoocommerce-ac.php:260
filteradmin_footer_textwoocommerce-ac.php:262
actionadmin_noticeswoocommerce-ac.php:264
actionadmin_noticeswoocommerce-ac.php:265
filtercron_scheduleswoocommerce-ac.php:269
actionwoocommerce_ac_delete_coupon_actionwoocommerce-ac.php:270
actionwoocommerce_coupon_errorwoocommerce-ac.php:273
actionwoocommerce_applied_couponwoocommerce-ac.php:274
actionwoocommerce_before_cart_tablewoocommerce-ac.php:276
actionwoocommerce_before_checkout_formwoocommerce-ac.php:278
filterwoocommerce_email_from_addresswoocommerce-ac.php:279
filterwoocommerce_email_from_namewoocommerce-ac.php:280
actionadmin_noticeswoocommerce-ac.php:283
actionwp_loginwoocommerce-ac.php:286
filterwoocommerce_login_redirectwoocommerce-ac.php:288
actionadmin_initwoocommerce-ac.php:292
filterwp_plugin_check_checkswoocommerce-ac.php:293
filtertiny_mce_before_initwoocommerce-ac.php:2467
filtermce_buttonswoocommerce-ac.php:2468
filtermce_external_pluginswoocommerce-ac.php:2469

Scheduled Events 2

wcal_clear_carts
woocommerce_ac_delete_coupon_action
Maintenance & Trust

Abandoned Cart Lite for WooCommerce Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 23, 2026
PHP min version7.3
Downloads1.3M

Community Trust

Rating82/100
Number of ratings86
Active installs20K
Alternatives

Abandoned Cart Lite for WooCommerce Alternatives

Cart Abandonment Recovery via Chat

Cart Abandonment Recovery via Chat

cart-abandonment-recovery

A
85

Recover your lost revenue. Capture whatsapp number of users on clicking add to cart button and send follow up whatsapp messages if they don't com &hellip;

10 No CVEs
Exit Bee

Exit Bee

exit-intent-popups-conversion-optimization-by-exitbee

A
85

Turn lost visitors into customers with the smartest exit intent tool. Increase conversions, sales and engagement. Start with a 14-day free trial.

10 No CVEs
Developer Profile

Abandoned Cart Lite for WooCommerce Developer Profile

tychesoftwares

20 plugins · 159K total installs

73
trust score
Avg Security Score
91/100
Avg Patch Time
219 days
View full developer profile
Detection Fingerprints

How We Detect Abandoned Cart Lite for WooCommerce

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/woocommerce-abandoned-cart/assets/css/wcal-frontend.css/wp-content/plugins/woocommerce-abandoned-cart/assets/css/wcal-guest.css/wp-content/plugins/woocommerce-abandoned-cart/assets/css/wcal-style.css/wp-content/plugins/woocommerce-abandoned-cart/assets/js/wcal-admin-script.js/wp-content/plugins/woocommerce-abandoned-cart/assets/js/wcal-common.js/wp-content/plugins/woocommerce-abandoned-cart/assets/js/wcal-frontend.js/wp-content/plugins/woocommerce-abandoned-cart/assets/js/wcal-guest.js
Script Paths
/wp-content/plugins/woocommerce-abandoned-cart/assets/js/wcal-common.js/wp-content/plugins/woocommerce-abandoned-cart/assets/js/wcal-frontend.js/wp-content/plugins/woocommerce-abandoned-cart/assets/js/wcal-guest.js
Version Parameters
woocommerce-abandoned-cart/assets/css/wcal-frontend.css?ver=woocommerce-abandoned-cart/assets/css/wcal-guest.css?ver=woocommerce-abandoned-cart/assets/css/wcal-style.css?ver=woocommerce-abandoned-cart/assets/js/wcal-admin-script.js?ver=woocommerce-abandoned-cart/assets/js/wcal-common.js?ver=woocommerce-abandoned-cart/assets/js/wcal-frontend.js?ver=woocommerce-abandoned-cart/assets/js/wcal-guest.js?ver=

HTML / DOM Fingerprints

CSS Classes
wcal-add-to-cartwcal-cart-detailswcal-cart-tablewcal-checkout-couponwcal-empty-cartwcal-order-detailswcal-order-reviewwcal-product-gallery+4 more
HTML Comments
<!-- WCAL START: Abandoned Cart Lite for WooCommerce --><!-- WCAL END: Abandoned Cart Lite for WooCommerce -->
Data Attributes
data-wcal-cart-iddata-wcal-product-iddata-wcal-user-id
JS Globals
wcal_common_datawcal_frontend_paramswcal_guest_data
REST Endpoints
/wp-json/wcal/v1/cart/wp-json/wcal/v1/guest-cart
FAQ

Frequently Asked Questions about Abandoned Cart Lite for WooCommerce