CVE-2025-1527 in ShopLentor Plugin
Summary
by MITRE • 03/12/2025
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to a Stored DOM-Based Cross-Site Scripting via the plugin's Flash Sale Countdown module in all versions up to, and including, 3.1.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/12/2025
The vulnerability identified as CVE-2025-1527 affects the ShopLentor WordPress plugin, which serves as a comprehensive WooCommerce builder integrating Elementor and Gutenberg functionalities with over twenty modules. This particular flaw resides within the Flash Sale Countdown module, representing a critical security weakness that has persisted across all versions up to and including 3.1.0. The plugin's architecture fails to properly validate and sanitize user-supplied input parameters, creating a persistent vector for malicious code injection that can compromise the entire WordPress installation.
This vulnerability constitutes a stored DOM-based cross-site scripting attack, classified under CWE-79 as improper neutralization of script-related HTML tags in a web page. The flaw occurs because the plugin does not adequately escape or sanitize attributes passed through user-controlled input fields within the Flash Sale Countdown functionality. Attackers with contributor-level privileges or higher can exploit this weakness by injecting malicious JavaScript code into the plugin's configuration parameters, which then gets stored and executed whenever legitimate users view pages containing the compromised content. The attack vector operates through the DOM manipulation capabilities, where malicious scripts are executed in the context of the victim's browser session.
The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with elevated privileges within the WordPress environment. Since contributors and above can inject malicious code, attackers can potentially access sensitive administrative functions, modify content, steal user sessions, or even escalate their privileges further within the WordPress ecosystem. The stored nature of the vulnerability means that once injected, the malicious scripts persist in the database and execute automatically whenever affected pages are loaded, making detection and remediation more challenging. This vulnerability directly aligns with ATT&CK technique T1548.002 for privilege escalation and T1059.007 for command and scripting interpreter, as it enables attackers to execute arbitrary code within the browser context of authenticated users.
Mitigation strategies should prioritize immediate plugin updates to versions that address this vulnerability, as well as implementing comprehensive input validation and output escaping mechanisms. Administrators should enforce the principle of least privilege by limiting user roles and permissions, particularly for contributors who may not require access to advanced plugin configuration features. Additionally, implementing web application firewalls and content security policies can provide additional defense-in-depth measures to prevent or detect malicious script injection attempts. Regular security audits and monitoring of user activities within the WordPress admin panel should also be implemented to identify potential exploitation attempts. The vulnerability demonstrates the critical importance of proper input sanitization in web applications and serves as a reminder that even seemingly benign plugin features can become attack vectors when proper security measures are not implemented.