ShopLentor Vulnerability – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) – Authenticated Stored Cross-site Scripting via QR Code Widget – CVE-2024-2946 | WordPress Plugin Vulnerability Report 

Plugin Name: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)

Key Information:

  • Software Type: Plugin
  • Software Slug: woolentor-addons
  • Software Status: Active
  • Software Author: devitemsllc
  • Software Downloads: 3,355,176
  • Active Installs: 100,000
  • Last Updated: April 4, 2024
  • Patched Versions: 2.8.5
  • Affected Versions: <= 2.8.4

Vulnerability Details:

  • Name: ShopLentor <= 2.8.4
  • Title: Authenticated (Contributor+) Stored Cross-site Scripting via QR Code Widget
  • Type: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
  • CVE: CVE-2024-2946
  • CVSS Score: 6.4
  • Publicly Published: April 4, 2024
  • Researchers: Phuoc Pham (p3tl0v3r) - VNPT Cyber Immunity, Ngô Thiên An (ancorn_) - VNPT-VCI
  • Description: The vulnerability in the ShopLentor plugin arises from insufficient sanitization and escaping of user inputs within the QR Code Widget, allowing authenticated contributors and above to inject and execute arbitrary scripts, compromising site security and user data integrity.


The vulnerability identified in the ShopLentor plugin highlights a significant risk, with versions up to 2.8.4 being susceptible to Stored Cross-Site Scripting attacks via the QR Code Widget. This issue has been effectively addressed in the latest version, 2.8.5, underscoring the importance of keeping WordPress environments updated to safeguard against potential exploits.

Detailed Overview:

Discovered by cybersecurity experts Phuoc Pham and Ngô Thiên An, this vulnerability poses a serious security threat, particularly to websites utilizing the ShopLentor plugin's QR Code Widget feature. The exploit enables attackers with sufficient privileges to insert malicious code that could be executed by unsuspecting users, potentially leading to unauthorized access or data leaks. The remediation provided in version 2.8.5 is crucial for mitigating this vulnerability.

Advice for Users:

  • Immediate Action: Update the ShopLentor plugin to version 2.8.5 to secure your WordPress site from this vulnerability.
  • Check for Signs of Vulnerability: Monitor your website for unusual behavior or unauthorized content changes, which may indicate exploitation.
  • Alternate Plugins: While the patched version resolves this issue, consider exploring other reputable plugins for enhanced security and functionality.
  • Stay Updated: Regularly update all WordPress components to protect against known vulnerabilities and enhance site performance.


The swift patching of the CVE-2024-2946 vulnerability in the ShopLentor plugin by the development team is a critical reminder of the ongoing need for vigilance and timely updates in maintaining digital security. For WordPress site owners, especially small business owners juggling numerous responsibilities, it's vital to prioritize regular plugin updates to prevent potential security breaches and ensure a secure online presence.


Detailed Report: 

In the dynamic world of WordPress, plugins like ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) play a pivotal role in empowering websites with enhanced functionalities. With over 100,000 active installations and millions of downloads, ShopLentor stands out as a vital tool for many. However, the discovery of a critical vulnerability, CVE-2024-2946, in versions up to 2.8.4, casts a spotlight on the ever-present need for vigilance in the realm of web security.

The Core of the Vulnerability:

The vulnerability manifests within the QR Code Widget of the ShopLentor plugin, where insufficient input sanitization and output escaping pave the way for authenticated users, from contributors upwards, to inject and execute arbitrary scripts. This security gap, identified by researchers Phuoc Pham and Ngô Thiên An, poses a direct threat to site integrity and user data privacy.

Potential Risks:

The exploitation of this vulnerability could lead to a range of adverse outcomes, from unauthorized data access to the dissemination of malicious content, profoundly affecting both website operators and their visitors. The risk extends beyond mere data compromise, threatening the trust and reliability foundational to any digital presence.

Remediation Steps:

In response, ShopLentor developers promptly released version 2.8.5, effectively closing the security loophole. Users of the plugin are urged to update immediately, ensuring their sites' defense against this particular threat. Additionally, site administrators should remain alert for any signs of compromise, such as unexpected content changes or anomalous site behavior.

Historical Context:

This isn't the first time vulnerabilities have been discovered within ShopLentor; the plugin has seen 7 recorded vulnerabilities since April 13, 2021. This history underlines the importance of continuous monitoring and updating as part of a comprehensive security strategy.

The Bigger Picture:

For small business owners juggling myriad responsibilities, staying abreast of every security update can seem daunting. Yet, the incident with ShopLentor serves as a critical reminder of the indispensable nature of proactive security measures. Regular updates, vigilant monitoring, and an informed approach to plugin selection form the bedrock of a secure WordPress site.

In a digital landscape where threats evolve with daunting speed, the security of your WordPress site cannot hinge on passive strategies. The swift resolution of CVE-2024-2946 by the ShopLentor team exemplifies the ongoing battle against vulnerabilities and the need for constant vigilance. Embracing regular maintenance, staying informed on security updates, and adopting a proactive stance on cybersecurity are non-negotiable aspects of safeguarding your online assets, ensuring the safety and trustworthiness of your digital presence in an unpredictable cyber world.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

ShopLentor Vulnerability – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) – Authenticated Stored Cross-site Scripting via QR Code Widget – CVE-2024-2946 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment