The ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin for WordPress suffers from a stored cross-site scripting vulnerability (CWE-79) identified as CVE-2024-1057. This vulnerability is due to improper neutralization of input during web page generation, specifically in the 'wishsuite_button' shortcode's 'button_class' attribute. Authenticated attackers with contributor or higher privileges can inject arbitrary JavaScript that executes in the context of users viewing the compromised pages. The issue affects all versions up to and including 2.8.1. The CVSS 3.1 base score is 6.4, reflecting network attack vector, low attack complexity, privileges required, no user interaction, and impacts on confidentiality and integrity with no availability impact. No patch or official fix has been documented at this time.

Successful exploitation allows authenticated users with contributor-level or higher permissions to inject persistent malicious scripts into pages via the vulnerable shortcode attribute. These scripts execute in the browsers of users who visit the infected pages, potentially leading to unauthorized actions or data disclosure limited to the scope of the affected site. The impact is limited to confidentiality and integrity, with no direct availability impact. There are no known active exploits in the wild currently.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, site administrators should restrict contributor-level permissions carefully and consider disabling or removing the vulnerable shortcode if possible. Monitoring for unusual script injections in content may help detect exploitation attempts. Applying general WordPress security best practices is advisable but not a direct mitigation for this specific vulnerability.