ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor) <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Wordfence Intelligence > Vulnerability Database > ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor) <= 2.8.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

CVE	CVE-2024-1057
CVSS	6.4 (Medium)
Publicly Published	April 19, 2024
Last Updated	April 20, 2024
Researcher	Ngô Thiên An (ancorn_)

Description

The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +10 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'wishsuite_button' shortcode in all versions up to, and including, 2.8.1 due to insufficient input sanitization and output escaping on user supplied attributes like 'button_class'. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Learn more about Cross-Site Scripting vulnerabilities and how to prevent them.

References

plugins.trac.wordpress.org

Vulnerability Details for ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin

ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin

Software Type	Plugin
Software Slug	woolentor-addons (view on wordpress.org)
Patched?	Yes
Remediation	Update to version 2.8.2, or a newer patched version
Affected Version	<= 2.8.1
Patched Version	2.8.2

Recent vulnerabilities in ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin

ShopLentor - WooCommerce Builder for Elementor & Gutenberg <= 3.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Product Grid 'blockUniqId' Block Attribute

5.4

CVE-2026-6287

May 26, 2026

Researcher: ammonia

ShopLentor <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute

6.4

CVE-2026-4059

Apr 13, 2026

Researcher: zaim

ShopLentor <= 3.3.2 - Unauthenticated Email Relay Abuse via 'woolentor_suggest_price_action' AJAX Action

8.6

CVE-2026-1714

Feb 17, 2026

Researcher: Teerachai Somprasong

ShopLentor <= 3.2.5 - Unauthenticated Local PHP File Inclusion via 'load_template'

9.8

CVE-2025-12493

Nov 3, 2025

Researcher: mikemyers

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

6.4

CVE-2025-11823

Oct 24, 2025

Researcher: theviper17y

ShopLentor <= 3.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting

6.4

CVE-2025-58990

Sep 9, 2025

Researcher: Denver Jackson

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) <= 3.1.2 - Unauthenticated Server-Side Request Forgery via URL Parameter

6.5

CVE-2025-3775

Apr 24, 2025

Researcher: mikemyers

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) <= 3.1.0 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Flash Sale Countdown Module

6.4

CVE-2025-1527

Mar 11, 2025

Researcher: Webbernaut

ShopLentor <= 2.9.8 - Authenticated (Contributor+) Sensitive Information Exposure via WL: FAQ Widget Elementor Template

4.3

CVE-2024-9538

Oct 10, 2024

Researcher: Ankit Patel

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) <= 2.9.7 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting

6.4

CVE-2024-8668

Sep 24, 2024

Researcher: Webbernaut

#	Title	CVE ID	CVSS	Researchers	Date
1	ShopLentor - WooCommerce Builder for Elementor & Gutenberg <= 3.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Product Grid 'blockUniqId' Block Attribute	CVE-2026-6287	5.4	ammonia	May 26, 2026
2	ShopLentor <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute	CVE-2026-4059	6.4	zaim	April 13, 2026
3	ShopLentor <= 3.3.2 - Unauthenticated Email Relay Abuse via 'woolentor_suggest_price_action' AJAX Action	CVE-2026-1714	8.6	Teerachai Somprasong	February 17, 2026
4	ShopLentor <= 3.2.5 - Unauthenticated Local PHP File Inclusion via 'load_template'	CVE-2025-12493	9.8	mikemyers	November 3, 2025
5	ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode	CVE-2025-11823	6.4	theviper17y	October 24, 2025
6	ShopLentor <= 3.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting	CVE-2025-58990	6.4	Denver Jackson	September 9, 2025
7	ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) <= 3.1.2 - Unauthenticated Server-Side Request Forgery via URL Parameter	CVE-2025-3775	6.5	mikemyers	April 24, 2025
8	ShopLentor – WooCommerce Builder for Elementor & Gutenberg +20 Modules – All in One Solution (formerly WooLentor) <= 3.1.0 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Flash Sale Countdown Module	CVE-2025-1527	6.4	Webbernaut	March 11, 2025
9	ShopLentor <= 2.9.8 - Authenticated (Contributor+) Sensitive Information Exposure via WL: FAQ Widget Elementor Template	CVE-2024-9538	4.3	Ankit Patel	October 10, 2024
10	ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor) <= 2.9.7 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting	CVE-2024-8668	6.4	Webbernaut	September 24, 2024

View more vulnerabilities in this software package View more vulnerabilities

This record contains material that is subject to copyright.

License: Defiant hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute this software vulnerability information. Any copy of the software vulnerability information you make for such purposes is authorized provided that you include a hyperlink to this vulnerability record and reproduce Defiant's copyright designation and this license in any such copy. Read more.

License: CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. Read more.

Have information to add, or spot any errors? Contact us at wfi-support@wordfence.com so we can make any appropriate adjustments.

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation