CVE-2024-8668: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) <= 2.9.7 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting
First published: Wed Sep 25 2024(Updated: )
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the tooltip and countdown functionality in all versions up to, and including, 2.9.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Credit: security@wordfence.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Hasthemes Woolentor - WooCommerce Elementor Addons + Builder | <2.9.8 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.wordfence.com/threat-intel/vulnerabilities/id/afe2b2e5-601f-4b6b-940a-b82f723b8776?source=cve
- https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/2.9.7/assets/js/woolentor-widgets-active.js#L111
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3155859%40woolentor-addons&new=3155859%40woolentor-addons&sfp_email=&sfph_mail=
- https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/2.9.7/assets/js/woolentor-widgets-active.js#L151
Frequently Asked Questions
What is the severity of CVE-2024-8668?
The severity of CVE-2024-8668 is considered high due to its potential for Stored Cross-Site Scripting vulnerabilities.
How do I fix CVE-2024-8668?
To fix CVE-2024-8668, update the ShopLentor plugin to version 2.9.8 or later.
What functionality is affected by CVE-2024-8668?
CVE-2024-8668 affects the tooltip and countdown functionalities of the ShopLentor plugin.
Which versions of the ShopLentor plugin are vulnerable to CVE-2024-8668?
All versions of the ShopLentor plugin up to and including version 2.9.7 are vulnerable to CVE-2024-8668.
Who is affected by CVE-2024-8668?
Any WordPress users utilizing the ShopLentor plugin in versions 2.9.7 and below are affected by CVE-2024-8668.
- agent/weakness
- agent/title
- agent/references
- agent/type
- agent/first-publish-date
- agent/description
- agent/author
- collector/mitre-cve
- source/MITRE
- agent/remedy
- agent/last-modified-date
- agent/severity
- agent/softwarecombine
- agent/event
- collector/epss-latest
- source/FIRST
- agent/epss
- agent/source
- agent/tags
- collector/nvd-api
- source/NVD
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- vendor/hasthemes
- canonical/hasthemes woolentor - woocommerce elementor addons + builder