ShopLentor Vulnerability – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-1057 | WordPress Plugin Vulnerability Report 

By Your WP Guy | April 19, 2024

Plugin Name: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)

Key Information:

  • Software Type: Plugin
  • Software Slug: woolentor-addons
  • Software Status: Active
  • Software Author: devitemsllc
  • Software Downloads: 3,443,357
  • Active Installs: 100,000
  • Last Updated: May 2, 2024
  • Patched Versions: 2.8.2
  • Affected Versions: <= 2.8.1

Vulnerability Details:

  • Name: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor) <= 2.8.1
  • Title: Authenticated (Contributor+) Stored Cross-Site Scripting
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-1057
  • CVSS Score: 6.4
  • Publicly Published: April 19, 2024
  • Researcher: Ngô Thiên An (ancorn_) - VNPT-VCI
  • Description: The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wishsuite_button' shortcode in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping on user supplied attributes like 'button_class'. This allows authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts that execute whenever a user accesses an injected page.

Summary:

The ShopLentor plugin for WordPress has a vulnerability in versions up to and including 2.8.1 that exposes sites to Stored Cross-Site Scripting attacks through insufficient sanitization in the 'wishsuite_button' shortcode. This vulnerability has been patched in version 2.8.2.

Detailed Overview:

This vulnerability was identified by researcher Ngô Thiên An, associated with VNPT-VCI. It specifically targets the 'wishsuite_button' shortcode, where the 'button_class' attribute is not properly sanitized, posing a risk to sites using this plugin. Attackers with at least contributor-level access can exploit this vulnerability to execute scripts in the user’s browser, potentially leading to unauthorized actions being performed on behalf of the user. To remediate this vulnerability, the developer has released an updated version that addresses these security gaps.

Advice for Users:

  • Immediate Action: Update to version 2.8.2 immediately to mitigate this vulnerability.
  • Check for Signs of Vulnerability: Monitor your site for unexpected changes or unusual user behavior, which might indicate a compromise.
  • Alternate Plugins: While a patch is available, consider evaluating other reputable WooCommerce builder plugins as a precaution.
  • Stay Updated: Continuously update your plugins to the latest versions to safeguard against vulnerabilities.

Conclusion:

The prompt response from the ShopLentor developers in patching this vulnerability highlights the critical importance of maintaining up-to-date software on your WordPress site. Users are advised to update their installations to version 2.8.2 or later to secure their sites effectively.

References:

Detailed Report: 

In the digital age, the security of your WordPress website is paramount. The recent disclosure of a severe vulnerability in the ShopLentor plugin—a popular tool used by over 100,000 websites to enhance WooCommerce capabilities—serves as a stark reminder of the risks associated with outdated software. The vulnerability, known as CVE-2024-1057, highlights the ever-present need to ensure your website's plugins are up-to-date to protect against sophisticated cyber threats.

Understanding the Vulnerability

The identified vulnerability allows authenticated users with contributor-level access or higher to exploit stored cross-site scripting (XSS) issues in the plugin. By exploiting the 'wishsuite_button' shortcode, attackers can inject malicious scripts into web pages, which then execute whenever a user accesses these pages. This could potentially allow unauthorized actions, data theft, or full control over an infected site. It was discovered by researcher Ngô Thiên An from VNPT-VCI and publicly published on April 19, 2024.

Risks and Potential Impacts

The risks associated with this vulnerability are significant, particularly because it targets a plugin that integrates deeply with e-commerce functionalities. An exploitation can lead to unauthorized actions being performed on behalf of users, manipulation of web content, or even stealing sensitive customer data, which could irreparably damage a business's reputation and customer trust.

How to Remediate the Vulnerability

To address this vulnerability, the developers have released version 2.8.2 of the ShopLentor plugin. Immediate actions include:

  • Updating the plugin to the latest patched version (2.8.2).
  • Regularly monitoring your website for unusual activity or unauthorized changes.
  • Considering alternative reputable WooCommerce builder plugins as a precautionary measure.

Historical Context and Previous Vulnerabilities

Since April 13, 2021, there have been 11 previous vulnerabilities reported for this plugin. This history underscores the necessity of regular updates and vigilance, even if no immediate threats seem apparent.

Conclusion: The Importance of Proactive Security

For small business owners, managing a website's security can seem daunting, especially with limited time and resources. However, the consequences of neglecting website security can be far more time-consuming and expensive than the preventive steps required to protect it. Staying on top of security updates is not merely about protecting data but is crucial for safeguarding your business's online presence and reputation.

Consider engaging security experts or utilizing managed WordPress hosting services that include regular updates and security checks. By doing so, you can ensure your website remains secure, allowing you to focus more on growing your business rather than managing its vulnerabilities.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

ShopLentor Vulnerability – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) – Authenticated (Contributor+) Stored Cross-Site Scripting – CVE-2024-1057 | WordPress Plugin Vulnerability Report FAQs

Share this post:

Share on Pinterest Share on LinkedIn Share on Reddit Share on WhatsApp Share on Pocket Share on SMS
Posted in Security, Vulnerabilities and tagged , , , , , , , , , ,

Leave a Comment