ShopLentor Vulnerability – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) – Authenticated Stored Cross-Site Scripting via Banner Link – CVE-2024-1960 | WordPress Plugin Vulnerability Report

Plugin Name: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)

Key Information:

  • Software Type: Plugin
  • Software Slug: woolentor-addons
  • Software Status: Active
  • Software Author: devitemsllc
  • Software Downloads: 3,272,321
  • Active Installs: 100,000
  • Last Updated: March 14, 2024
  • Patched Versions: 2.8.2
  • Affected Versions: <= 2.8.1

Vulnerability Details:

  • Name: ShopLentor <= 2.8.1
  • Title: Authenticated(Contributor+) Stored Cross-Site Scripting via Banner Link
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-1960
  • CVSS Score: 6.4
  • Publicly Published: March 14, 2024
  • Researcher: Webbernaut
  • Description: ShopLentor, a comprehensive WooCommerce builder for WordPress, has been found vulnerable to Stored Cross-Site Scripting (XSS) in all versions up to 2.8.1. This vulnerability exists in the Special Offer Day Widget Banner Link due to inadequate input sanitization and output escaping, allowing authenticated users with at least contributor-level permissions to execute arbitrary scripts on web pages.

Summary:

ShopLentor, vital for enhancing WooCommerce capabilities on WordPress sites, exhibits a vulnerability in versions up to and including 2.8.1. Identified as CVE-2024-1960, this vulnerability facilitates Authenticated Stored Cross-Site Scripting attacks via the banner link of the Special Offer Day Widget, putting site integrity and user data at risk. The developers have rectified this issue in version 2.8.2, reinforcing the plugin's security.

Detailed Overview:

CVE-2024-1960, uncovered by security expert Webbernaut, emphasizes the necessity of rigorous input validation and encoding within web applications, especially those that handle user-generated content like ShopLentor. This vulnerability underscores the potential for exploitation by malicious users, highlighting the critical need for secure coding practices and attentive user role management on WordPress platforms.

Advice for Users:

  • Immediate Action: Ensure the ShopLentor plugin is updated to version 2.8.2 to mitigate the XSS vulnerability.
  • Check for Signs of Vulnerability: Monitor for unauthorized script executions or content alterations, particularly in areas employing the Special Offer Day Widget, as these could indicate vulnerability exploitation.
  • Alternate Plugins: While the updated version is deemed secure, users may explore alternative WooCommerce builders with distinct security features or functionalities.
  • Stay Updated: Regularly updating WordPress plugins, themes, and the core is essential for protecting against vulnerabilities and maintaining site performance.

Conclusion:

The swift resolution of CVE-2024-1960 in the ShopLentor plugin serves as a crucial reminder of the ongoing need for vigilance and proactive security measures within the WordPress ecosystem. For WordPress site administrators, especially those managing small business websites with limited IT resources, the commitment to timely software updates and adherence to security best practices is vital for safeguarding digital assets against evolving cyber threats.

References:

 

In today's fast-paced digital age, maintaining the security of a WordPress website is paramount, particularly for small business owners who rely heavily on their online presence. The recent discovery of a vulnerability within the widely utilized ShopLentor plugin—renowned for its ability to augment WooCommerce with advanced functionalities for Elementor & Gutenberg—serves as a stark reminder of the ever-present cyber threats lurking in the digital landscape.

Plugin Overview:

ShopLentor, previously known as WooLentor, has carved a niche for itself as an indispensable tool for over 100,000 WordPress sites, facilitating an enhanced user experience with its array of modules. Developed by devitemsllc, this plugin has seen over 3 million downloads, a testament to its utility and popularity within the WordPress community.

Vulnerability Details:

CVE-2024-1960 exposes a critical flaw in ShopLentor versions up to 2.8.1, where the 'Banner Link' attribute in the Special Offer Day Widget is susceptible to Authenticated Stored Cross-Site Scripting (XSS). This vulnerability arises due to insufficient input sanitization and output escaping, enabling authenticated users with contributor-level access or higher to inject harmful scripts. Notably, this risk is contingent upon the victim enabling the 'Show Toolbar when viewing site' option in their profile.

Implications and Risks:

The implications of CVE-2024-1960 are far-reaching, with the potential to compromise site integrity and user data privacy. Stored XSS vulnerabilities like this one allow attackers to execute arbitrary code on the affected sites, potentially leading to unauthorized access, data theft, and further exploitation of site visitors.

Remediation and User Advice:

In response, ShopLentor's developers have promptly issued an update, version 2.8.2, to patch this vulnerability. Users are urged to update their plugin installations without delay to secure their sites against potential exploits. Additionally, website administrators should remain vigilant for signs of unauthorized access or script execution, particularly within areas utilizing the affected widget.

Historical Context:

This is not the first instance of vulnerability within ShopLentor, with 5 previous vulnerabilities reported since April 13, 2021. Each instance has been a learning opportunity, reinforcing the need for ongoing vigilance and prompt action in the face of emerging threats.

The Importance of Diligence:

The swift resolution of CVE-2024-1960 underscores the critical importance of regular updates and proactive security measures in safeguarding WordPress installations. For small business owners, the task of staying updated with the latest security patches, while daunting, is non-negotiable. The digital health of a business can significantly impact its operational integrity and customer trust, making cybersecurity a foundational aspect of modern business management.

In conclusion, the recent vulnerability in ShopLentor highlights the ongoing challenge of cybersecurity in the WordPress ecosystem. For site administrators and small business owners, the episode is a poignant reminder of the necessity to maintain a vigilant stance and adopt a proactive approach to website security, ensuring the safety and reliability of their digital assets in an ever-evolving threat landscape.

ShopLentor Vulnerability – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) – Authenticated Stored Cross-Site Scripting via Banner Link – CVE-2024-1960 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment