CVE-2024-2946 in ShopLentor Plugin
Summary
by MITRE • 04/10/2024
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's QR Code Widget in all versions up to, and including, 2.8.4 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/26/2025
The vulnerability identified as CVE-2024-2946 affects the ShopLentor plugin for WordPress, which serves as a comprehensive WooCommerce builder solution integrating Elementor and Gutenberg functionalities. This plugin version 2.8.4 and earlier contains a critical stored cross-site scripting flaw that compromises the security of WordPress installations. The vulnerability specifically resides within the QR Code Widget component of the plugin, representing a significant risk to website administrators and users who rely on this commerce solution.
The technical flaw stems from inadequate input sanitization and output escaping mechanisms within the QR Code Widget functionality. Attackers with contributor-level privileges or higher can exploit this weakness by injecting malicious scripts through user-supplied attributes in the widget configuration. The vulnerability operates as a stored XSS attack because the malicious code is permanently saved within the WordPress database rather than being executed through a single request. When legitimate users access pages containing the injected content, the stored scripts execute in their browsers, potentially leading to unauthorized actions or data theft.
The operational impact of this vulnerability extends beyond simple script execution, as it enables attackers to perform various malicious activities within the context of the affected WordPress installation. Contributors with access to the admin panel can manipulate widget settings to inject persistent scripts that could redirect users to malicious sites, steal session cookies, or even modify content. This poses significant risks to e-commerce operations where customer data and transaction information are handled. The vulnerability essentially allows attackers to establish a persistent foothold within the WordPress environment, potentially enabling further exploitation of other system components.
Security professionals should note that this vulnerability aligns with CWE-79, which specifically addresses cross-site scripting flaws in web applications. The attack vector follows patterns consistent with the ATT&CK framework's T1566.001 technique for initial access through web application attacks. The flaw demonstrates the critical importance of proper input validation and output escaping in web applications, particularly those handling user-generated content. Organizations using the affected plugin version should immediately implement mitigations including updating to the latest patched version, implementing web application firewalls, and conducting thorough security audits of all plugin configurations to identify potential exploitation attempts.