CVE-2023-6327: ShopLentor (formerly WooLentor) <= 2.8.7 - Missing Authorization via purchased_new_products
First published: Thu May 09 2024(Updated: )
The ShopLentor (formerly WooLentor) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the purchased_new_products function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to view all products purchased in the past week, along with the users that purchased them.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| ShopLentor | <=2.8.7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.wordfence.com/threat-intel/vulnerabilities/id/263324cb-31b7-40ad-ad7d-4582e128cd75?source=cve
- https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/2.7.4/includes/modules/sales-notification/class.sale_notification.php
- https://plugins.trac.wordpress.org/changeset/3080097/woolentor-addons/trunk/includes/modules/sales-notification/class.sale_notification.php?contextall=1&old=3061864&old_path=%2Fwoolentor-addons%2Ftrunk%2Fincludes%2Fmodules%2Fsales-notification%2Fclass.sale_notification.php
- agent/title
- agent/weakness
- agent/references
- agent/type
- agent/first-publish-date
- agent/description
- agent/severity
- agent/author
- agent/event
- collector/nvd-api
- source/NVD
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/source
- agent/softwarecombine
- agent/tags
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/shoplentor
- canonical/shoplentor