The ShopLentor WordPress plugin (formerly WooLentor) contains an SSRF vulnerability (CWE-918) in the woolentor_template_proxy function in all versions up to 3.1.2. This flaw allows unauthenticated attackers to induce the server to make HTTP requests to arbitrary locations, potentially enabling access to internal network resources or services that are not otherwise exposed externally. The vulnerability has a CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality and integrity impact without availability impact. No patch or official fix information is currently available from the vendor or public advisories.

An attacker can exploit this SSRF vulnerability to make the vulnerable server perform HTTP requests to arbitrary URLs, including internal network services. This can lead to unauthorized information disclosure and modification of internal resources accessible from the server. The impact is limited to confidentiality and integrity, with no direct availability impact reported. Since the vulnerability is exploitable without authentication, it poses a risk to any site running affected versions of the plugin.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider disabling or removing the ShopLentor plugin if possible or restricting access to the vulnerable functionality. Monitoring for updates from the vendor devitemsllc is recommended to apply any forthcoming patches promptly.