CVE-2023-7067 in ShopLentor Plugininfo

Summary

by MITRE • 05/02/2024

The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'woolentor_template_store' function in all versions up to, and including, 2.8.1. This makes it possible for authenticated attackers, with contributor access and above to access the nonce used to access this function and set a blank template as the default template.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 11/26/2025

The vulnerability identified as CVE-2023-7067 affects the ShopLentor WordPress plugin, which serves as a comprehensive WooCommerce builder solution integrating Elementor and Gutenberg functionality. This plugin operates as a critical component in WordPress e-commerce environments, providing users with extensive customization capabilities for online stores. The security flaw stems from insufficient access controls within the plugin's core functionality, specifically impacting the woolentor_template_store function that manages template configurations. Attackers exploiting this vulnerability can manipulate the default template settings, potentially compromising the visual integrity and operational functionality of WooCommerce stores.

The technical implementation of this vulnerability resides in the absence of proper capability verification within the woolentor_template_store function. This function, which should require administrator-level privileges to modify template configurations, fails to validate user permissions before executing template modification operations. The missing capability check creates an unauthorized access vector that allows authenticated users with contributor-level privileges or higher to manipulate template data. The vulnerability specifically enables attackers to obtain and utilize nonces designed for legitimate template management operations, subsequently allowing them to set blank or malicious templates as default configurations.

The operational impact of CVE-2023-7067 extends beyond simple data modification, potentially disrupting entire e-commerce operations and compromising user experience. When attackers set blank templates as default, they can effectively break the storefront presentation, rendering products inaccessible or poorly displayed to customers. This vulnerability particularly affects online businesses relying on the plugin's template system, as unauthorized template changes can cause significant revenue loss through impaired customer experience and potential security breaches. The impact is amplified because the vulnerability affects all versions up to and including 2.8.1, indicating a prolonged period during which systems remained exposed without proper access controls.

From a cybersecurity perspective, this vulnerability aligns with CWE-284, which addresses improper access control mechanisms in software applications. The flaw represents a classic privilege escalation scenario where lower-privileged users gain access to functions intended for higher-level administrators. This issue also maps to ATT&CK technique T1078.004, which covers valid accounts and compromised credentials, as the vulnerability exploits existing authenticated user sessions rather than requiring additional credential compromise. Organizations should implement immediate mitigation strategies including plugin version updates, capability validation enforcement, and monitoring for unauthorized template modifications to prevent exploitation of this vulnerability.

The remediation approach requires immediate plugin updates to versions that address the missing capability checks, ensuring that the woolentor_template_store function properly validates user permissions before executing template modifications. Security administrators should also implement role-based access controls that restrict template management functions to administrator-level users only, preventing contributor and editor accounts from accessing sensitive template configuration options. Regular security audits should verify that all plugin functions properly validate user capabilities, and monitoring systems should be configured to detect unauthorized template changes that could indicate exploitation attempts. Organizations should also consider implementing additional security measures such as nonce validation and request origin verification to strengthen the overall security posture against similar vulnerabilities.

Responsible

Wordfence

Reservation

12/21/2023

Disclosure

05/02/2024

Moderation

accepted

CPE

ready

EPSS

0.00340

KEV

no

Activities

very low

Sources

Want to stay up to date on a daily basis?

Enable the mail alert feature now!