CVE-2023-6327 in ShopLentor Plugin
Summary
by MITRE • 05/14/2024
The ShopLentor (formerly WooLentor) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the purchased_new_products function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to view all products purchased in the past week, along with the users that purchased them.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 11/26/2025
The CVE-2023-6327 vulnerability affects the ShopLentor plugin for WordPress, which is a popular e-commerce solution built on the WooCommerce platform. This plugin enables users to create and manage online stores with various features including product management, order tracking, and customer analytics. The vulnerability resides within the purchased_new_products function, which is designed to retrieve and display recent purchase data. The flaw represents a critical security oversight that fundamentally undermines the plugin's access control mechanisms and exposes sensitive commercial information to unauthorized parties.
The technical implementation of this vulnerability stems from a missing capability check within the purchased_new_products function. This function should have required proper authentication and authorization before allowing access to purchase data, but instead it operates without verifying whether the requesting user possesses the necessary privileges. The function is designed to return information about products purchased within the past week, including both product details and the identities of customers who made those purchases. The absence of capability validation means that any unauthenticated attacker can simply call this function through the plugin's API endpoints, bypassing all normal WordPress security controls that would typically restrict access to such sensitive data.
The operational impact of this vulnerability is severe and multifaceted, as it exposes not only commercial product information but also detailed customer data that could be used for various malicious activities. Attackers can gain access to a comprehensive list of recent purchases, including product names, prices, and customer identities, creating significant privacy and business risks. This information could be exploited for competitive intelligence gathering, targeted marketing attacks, or even identity theft attempts. The vulnerability affects all versions of the plugin up to and including 2.8.7, representing a substantial attack surface that could impact numerous WordPress installations running this plugin. The exposure of customer purchase history creates potential for social engineering attacks and undermines customer trust in the affected e-commerce platforms.
This vulnerability aligns with CWE-285, which addresses insufficient authorization issues in software systems. The missing capability check represents a clear failure in implementing proper access controls, where the system does not verify that the requesting entity has adequate privileges to perform the requested operation. The attack pattern corresponds to techniques described in the MITRE ATT&CK framework under the T1078 credential access category, specifically targeting weaknesses in authentication and authorization controls. Organizations using this plugin face immediate risks including data breaches, regulatory compliance violations, and potential legal consequences due to exposure of customer information. The vulnerability demonstrates how seemingly minor implementation oversights in access control can create significant security risks in e-commerce platforms where customer privacy and business data protection are paramount. The recommended mitigation involves immediate updating of the plugin to a patched version that implements proper capability checks, along with monitoring for unauthorized access attempts and potential data exfiltration activities.
The vulnerability highlights the importance of implementing robust security controls in WordPress plugins, particularly those handling sensitive customer and transactional data. The issue serves as a reminder that even well-established plugins can contain critical security flaws that expose users to significant risks. Organizations should implement comprehensive security auditing practices for all third-party plugins and maintain up-to-date security monitoring to detect potential exploitation attempts. The exposure of purchase data and customer identities through this vulnerability underscores the need for continuous security assessment and the implementation of defense-in-depth strategies to protect sensitive information assets.