CVE-2024-5530 in ShopLentor Plugin
Summary
by MITRE • 06/11/2024
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's WL: Product Horizontal Filter widget in all versions up to, and including, 2.9.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 11/26/2025
The CVE-2024-5530 vulnerability affects the ShopLentor plugin for WordPress, a popular WooCommerce builder that integrates with Elementor and Gutenberg. This plugin serves as a comprehensive solution for creating online stores and has been widely adopted by e-commerce businesses. The vulnerability specifically resides within the WL: Product Horizontal Filter widget, which allows users to create dynamic product filtering interfaces on their WooCommerce stores. The issue represents a critical security flaw that could compromise the integrity of WordPress installations and potentially lead to broader system compromises.
The technical flaw manifests as a stored cross-site scripting vulnerability that stems from inadequate input sanitization and output escaping mechanisms within the plugin's codebase. When authenticated attackers with contributor-level permissions or higher interact with the WL: Product Horizontal Filter widget, they can inject malicious JavaScript code through user-supplied attributes. This code becomes permanently stored within the WordPress database and executes whenever any user accesses pages containing the injected content. The vulnerability operates at the application layer and specifically targets the plugin's handling of filter parameters, which are processed without proper validation or sanitization before being rendered in web pages.
The operational impact of this vulnerability is significant for WordPress administrators and e-commerce site owners. Attackers with contributor privileges can leverage this flaw to execute malicious scripts in the context of any user who views affected pages, potentially leading to session hijacking, data theft, or further system compromise. The stored nature of the vulnerability means that the malicious code persists even after the initial injection, making it particularly dangerous as it can affect multiple users over extended periods. This vulnerability undermines the trust model of WordPress installations, as it allows attackers to exploit legitimate user permissions to gain unauthorized access to sensitive information or system resources.
Mitigation strategies for CVE-2024-5530 should focus on immediate patching of the affected plugin to version 2.9.1 or later, which contains the necessary security fixes. WordPress administrators should also implement strict access controls and monitor user activities for any suspicious behavior related to the affected widget. Security best practices recommend reducing user permissions to the minimum necessary level and implementing content security policies to limit the impact of potential cross-site scripting attacks. The vulnerability aligns with CWE-79, which describes cross-site scripting flaws, and may be categorized under ATT&CK technique T1566 for social engineering through malicious content injection. Organizations should also consider implementing web application firewalls and regular security audits to prevent similar vulnerabilities from being exploited in their WordPress environments.