CVE-2024-3345 in ShopLentor Plugin
Summary
by MITRE • 05/21/2024
The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's woolentorsearch shortcode in all versions up to, and including, 2.8.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 11/26/2025
The vulnerability identified as CVE-2024-3345 affects the ShopLentor plugin for WordPress, specifically targeting versions up to and including 2.8.8. This represents a critical security flaw that undermines the integrity of WordPress installations using this plugin. The vulnerability manifests through the woolentorsearch shortcode functionality, which fails to properly sanitize user-supplied input parameters. Attackers exploiting this weakness can manipulate the plugin's behavior by injecting malicious scripts through carefully crafted shortcode attributes, creating a persistent threat that affects all users who access pages containing the compromised content.
The technical nature of this vulnerability stems from inadequate input validation and output escaping mechanisms within the plugin's codebase. When administrators or users with contributor-level privileges or higher utilize the woolentorsearch shortcode with maliciously crafted attributes, the plugin fails to properly escape or sanitize the input before rendering it in the web page output. This creates a classic stored cross-site scripting scenario where malicious code becomes permanently embedded within the plugin's functionality and executes each time affected pages are accessed by any user. The vulnerability operates at the intersection of weak input sanitization and insufficient output escaping, both of which are fundamental security practices that should be implemented in all web applications processing user input.
From an operational perspective, this vulnerability presents a significant risk to WordPress installations as it requires only contributor-level access to exploit, making it particularly dangerous in environments where multiple users have elevated privileges. The stored nature of the XSS attack means that once the malicious payload is injected, it will execute automatically for any user who accesses the compromised pages, regardless of their privilege level or authentication status. This creates a persistent threat vector that can be leveraged to perform various malicious activities including session hijacking, credential theft, redirection to malicious sites, or data exfiltration from authenticated users. The impact extends beyond individual user sessions to potentially compromise entire WordPress installations and the underlying web servers.
Organizations and WordPress administrators should prioritize immediate remediation of this vulnerability by upgrading to a patched version of the ShopLentor plugin, as recommended by the plugin developers and security vendors. The mitigation strategy should include comprehensive monitoring of plugin usage patterns and user activity logs to detect any unauthorized modifications or suspicious shortcode usage. Additionally, implementing proper access controls and privilege management can help limit the potential impact of such vulnerabilities by reducing the number of users with contributor-level access or higher. Security professionals should also consider deploying web application firewalls and content security policies as additional defensive measures to detect and prevent exploitation attempts. This vulnerability aligns with CWE-79 which specifically addresses cross-site scripting flaws, and may be mapped to ATT&CK technique T1566 for social engineering through malicious content injection, emphasizing the need for layered security approaches to protect WordPress environments.