Stored Cross-Site Scripting Vulnerability in WooCommerce Builder Plugin by WordPress
CVE-2024-3991

6.4MEDIUM

Key Information:

Vendor: Wordpress
Status: Shoplentor – WooCommerce Builder For Elementor & Gutenberg +12 Modules – All In One Solution (formerly Woolentor)
Vendor: CVE Published:; 2 May 2024

Summary

The ShopLentor plugin for WordPress, specifically the Horizontal Product Filter module, exhibits a stored cross-site scripting vulnerability due to inadequate input sanitization and lack of output escaping. This flaw allows authenticated attackers with contributor-level access or higher to craft malicious web scripts that get executed when users navigate to pages containing the injected scripts. The vulnerability affects all versions of the plugin up to and including 2.8.7, making it critical for site administrators to address this issue to safeguard their websites from potential exploitation.

Affected Version(s)

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) * <= 2.8.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3080097/wool...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Timeline

Vulnerability published
May 2, 2024
Vulnerability Reserved
Apr 19, 2024

Credit

Matthew Rollings