CVE-2024-3345 is a stored cross-site scripting (XSS) vulnerability identified in the ShopLentor plugin for WordPress, which is a WooCommerce builder integrating with Elementor and Gutenberg page builders. The vulnerability exists in all versions up to and including 2.8.8 due to insufficient sanitization and escaping of user-supplied attributes in the woolentorsearch shortcode. This flaw allows authenticated users with contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users visit these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, cookies, or enabling further attacks such as privilege escalation or defacement. The vulnerability is classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v3.1 base score is 6.4, reflecting a medium severity with network attack vector, low attack complexity, requiring privileges but no user interaction, and impacting confidentiality and integrity with a scope change. No public exploits have been observed yet, but the vulnerability poses a significant risk to websites using this plugin, especially e-commerce sites relying on WooCommerce. The lack of an official patch at the time of publication necessitates immediate mitigation steps to reduce exposure.

The impact of CVE-2024-3345 is significant for organizations running WordPress sites with the ShopLentor plugin, particularly e-commerce platforms using WooCommerce. Successful exploitation can lead to the execution of arbitrary scripts in users' browsers, enabling attackers to steal session cookies, perform actions on behalf of users, or inject malicious content. This can result in compromised user accounts, unauthorized transactions, data leakage, and damage to brand reputation. Since contributor-level access is required, insider threats or compromised accounts can be leveraged to exploit this vulnerability. The scope of affected systems is broad given the widespread use of WordPress and WooCommerce globally. The vulnerability affects confidentiality and integrity but does not directly impact availability. Organizations with high traffic or sensitive customer data are at greater risk, and the attack surface includes any site allowing contributor-level users to add or edit content using the vulnerable shortcode.

1. Immediately restrict contributor-level and higher user permissions to trusted individuals only, minimizing the risk of malicious input injection. 2. Disable or remove the woolentorsearch shortcode usage in existing content until a patch is available. 3. Implement web application firewall (WAF) rules to detect and block suspicious script injection patterns targeting the shortcode parameters. 4. Monitor logs and user activity for unusual content submissions or edits involving the shortcode. 5. Educate content contributors about the risks of injecting untrusted input and enforce strict content review processes. 6. Regularly check for updates from the plugin vendor and apply official patches as soon as they are released. 7. Consider using security plugins that provide enhanced input sanitization and output escaping for shortcodes. 8. Conduct periodic security audits of WordPress plugins and custom code to identify and remediate similar vulnerabilities proactively.