WordPress Plugin Vulnerabilities

ShopLentor (formerly WooLentor) < 2.8.8 - Missing Authorization

Description

The ShopLentor (formerly WooLentor) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the purchased_new_products function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to view all products purchased in the past week, along with the users that purchased them.

Affects Plugins

Plugin icon
woolentor-addons
Fixed in 2.8.8

References

CVE
CVE-2023-6327
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/263324cb-31b7-40ad-ad7d-4582e128cd75

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
5.3 (medium)

Miscellaneous

Original Researcher
Francesco Carlucci
Verified
No
WPVDB ID
217194b5-f65c-42d7-97fb-7dbbe9eb7f7c

Timeline

Publicly Published
2024-05-03 (about 1 year ago)
Added
2024-05-03 (about 1 year ago)
Last Updated
2024-05-03 (about 1 year ago)

Other

Published
Title
Published
2022-06-02
Title
HTML2WP <= 1.0.0 - Subscriber+ Arbitrary File Deletion
Published
2026-01-22
Title
Hotel Listing <= 1.4.2 - Missing Authorization
Published
2024-06-28
Title
ArtPlacer Widget < 2.21.2 - Subscriber+ Arbitrary Widget Deletion
Published
2023-08-09
Title
EmbedPress < 3.8.3 - Subscriber+ Plugin Settings Delete
Published
2026-03-26
Title
Smart Slider 3 < 3.5.1.34 - Subscriber+ Arbitrary File Read via actionExportAll