Vulnerabilities and security researches forwoolentor-addons woolentor-addons
Direction: ascendingJun 07, 2024
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2022-47172
- CVE, Research URL
- Date
- Jul 17, 2023
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in HasThemes ShopLentor plugin <= 2.6.2 versions.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2024-1960
- CVE, Research URL
- Date
- Apr 10, 2024
- Research Description
- The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Special Offer Day Widget Banner Link in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2024-2868
- CVE, Research URL
- Date
- Apr 04, 2024
- Research Description
- The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the slitems parameter in the WL Special Day Offer Widget in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor access or above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2023-7067
- CVE, Research URL
- Date
- May 02, 2024
- Research Description
- The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'woolentor_template_store' function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with contributor access and above to access the nonce used to access this function and set a blank template as the default template.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2021-24262
- CVE, Research URL
- Date
- May 06, 2021
- Research Description
- The “WooLentor – WooCommerce Elementor Addons + Builder” WordPress Plugin before 1.8.6 has a widget that is vulnerable to stored Cross-Site Scripting (XSS) by lower-privileged users such as contributors, all via a similar method.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2022-46798
- CVE, Research URL
- Date
- Mar 01, 2023
- Research Description
- Cross-Site Request Forgery (CSRF) vulnerability in HasThemes ShopLentor plugin <= 2.5.1 leading to plugin settings change.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2023-0232
- CVE, Research URL
- Date
- Feb 21, 2023
- Research Description
- The ShopLentor WordPress plugin before 2.5.4 unserializes user input from cookies in order to track viewed products and user data, which could lead to PHP Object Injection.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2023-0231
- CVE, Research URL
- Date
- Feb 21, 2023
- Research Description
- The ShopLentor WordPress plugin before 2.5.4 does not validate and escape some of its block options before outputting them back in a page/post where the block is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2023-6327
- CVE, Research URL
- Date
- May 14, 2024
- Research Description
- The ShopLentor (formerly WooLentor) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the purchased_new_products function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to view all products purchased in the past week, along with the users that purchased them.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2024-34767
- CVE, Research URL
- Date
- Jun 03, 2024
- Research Description
- Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in HasThemes ShopLentor allows Stored XSS.This issue affects ShopLentor: from n/a through 2.8.7.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2024-3345
- CVE, Research URL
- Date
- May 21, 2024
- Research Description
- The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's woolentorsearch shortcode in all versions up to, and including, 2.8.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2024-2946
- CVE, Research URL
- Date
- Apr 10, 2024
- Research Description
- The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's QR Code Widget in all versions up to, and including, 2.8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2024-1057
- CVE, Research URL
- Date
- Apr 20, 2024
- Research Description
- The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wishsuite_button' shortcode in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping on user supplied attributes like 'button_class'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2024-3991
- CVE, Research URL
- Date
- May 02, 2024
- Research Description
- The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _id attribute in the Horizontal Product Filter in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2024-4566
- CVE, Research URL
- Date
- May 21, 2024
- Research Description
- The ShopLentor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_dismiss function in all versions up to, and including, 2.8.8. This makes it possible for authenticated attackers, with contributor-level access and above, to set arbitrary WordPress options to "true". NOTE: This vulnerability can be exploited by attackers with subscriber- or customer-level access and above if (1) the WooCommerce plugin is deactivated or (2) access to the default WordPress admin dashboard is explicitly enabled for authenticated users.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Jun 13, 2024
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2024-5530
- CVE, Research URL
- Date
- Jun 11, 2024
- Research Description
- The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's WL: Product Horizontal Filter widget in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Sep 26, 2024
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2024-8668
- CVE, Research URL
- Date
- Sep 25, 2024
- Research Description
- The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the tooltip and countdown functionality in all versions up to, and including, 2.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Oct 11, 2024
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2024-9538
- CVE, Research URL
- Date
- Oct 11, 2024
- Research Description
- The ShopLentor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.8 via the 'render' function in includes/addons/wl_faq.php. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive private, pending, and draft Elementor template data.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Mar 12, 2025
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2025-1527
- CVE, Research URL
- Date
- Mar 12, 2025
- Research Description
- The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to a Stored DOM-Based Cross-Site Scripting via the plugin's Flash Sale Countdown module in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable
Apr 26, 2025
ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) # CVE-2025-3775
- CVE, Research URL
- Date
- Apr 25, 2025
- Research Description
- The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.1.2 via the woolentor_template_proxy function. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application, and can be used to query and modify information from internal services.
- Affected versions
-
Min -, max -.
- Status
-
vulnerable