CVE-2024-3991 is a stored cross-site scripting vulnerability identified in the ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution WordPress plugin, formerly known as WooLentor. The vulnerability exists due to improper neutralization of input during web page generation, specifically insufficient sanitization and output escaping of the _id attribute in the Horizontal Product Filter component. This flaw allows authenticated users with contributor-level or higher privileges to inject arbitrary JavaScript code into pages. When other users access these pages, the injected scripts execute in their browsers, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of the victim. The vulnerability affects all versions up to and including 2.8.7. The attack vector is remote over the network, with low attack complexity, requiring only authenticated access but no user interaction for exploitation. The scope is considered changed (S:C) because the vulnerability affects resources beyond the attacker’s privileges, impacting other users. The CVSS v3.1 score of 6.4 reflects a medium severity rating, with partial impacts on confidentiality and integrity but no impact on availability. No public exploits have been reported yet, but the presence of this vulnerability in a widely used e-commerce plugin poses a significant risk to WordPress sites using ShopLentor, especially those with multiple user roles and contributors. The vulnerability underscores the importance of proper input validation and output encoding in web applications to prevent cross-site scripting attacks.

The primary impact of CVE-2024-3991 is the potential compromise of user confidentiality and integrity within affected WordPress sites using the ShopLentor plugin. Successful exploitation allows attackers to execute arbitrary scripts in the context of other users’ browsers, which can lead to theft of session cookies, credentials, or other sensitive information. Attackers may also perform unauthorized actions on behalf of victims, such as changing account settings or making fraudulent transactions. Since the vulnerability requires contributor-level access, it could be exploited by malicious insiders or compromised accounts. The scope of impact extends beyond the attacker’s privileges, affecting all users who view the injected content. This can damage organizational reputation, lead to data breaches, and cause financial losses, especially for e-commerce sites relying on WooCommerce. Although no availability impact is noted, the integrity and confidentiality risks are significant. Organizations with multiple contributors or editors are at higher risk, as attackers can leverage lower-privileged accounts to escalate their impact. The lack of known exploits in the wild provides a window for remediation, but the widespread use of WordPress and WooCommerce increases the potential attack surface globally.

To mitigate CVE-2024-3991, organizations should immediately update the ShopLentor plugin to a version that addresses this vulnerability once available. In the absence of an official patch, administrators should consider disabling or restricting access to the Horizontal Product Filter feature to prevent exploitation. Implement strict role-based access controls to limit contributor-level privileges only to trusted users and regularly audit user accounts for suspicious activity. Employ web application firewalls (WAFs) with rules designed to detect and block cross-site scripting payloads targeting the _id attribute or related plugin parameters. Additionally, site administrators should enable Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts. Regularly scan the website for injected scripts or anomalous content and monitor logs for unusual behavior. Educate contributors about the risks of uploading or entering untrusted content. Finally, ensure that all input fields are properly sanitized and output is escaped in custom code or plugin extensions to prevent similar vulnerabilities.