cbcvebase.
CVE-2024-4566
published 2024-05-21

CVE-2024-4566: The ShopLentor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_dismiss function in all…

PriorityP338high7.1CVSS 3.1
AVNACLPRLUINSUCNILAH
EPSS
0.41%
32.4th percentile
The ShopLentor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_dismiss function in all versions up to, and including, 2.8.8. This makes it possible for authenticated attackers, with contributor-level access and above, to set arbitrary WordPress options to "true". NOTE: This vulnerability can be exploited by attackers with subscriber- or customer-level access and above if (1) the WooCommerce plugin is deactivated or (2) access to the default WordPress admin dashboard is explicitly enabled for authenticated users.

Affected

2 ranges
VendorProductVersion rangeFixed in
devitemsllcshoplentor_all-in-one_woocommerce_growth_store_enhancement_plugin<= 2.8.8
hasthemesshoplentor< 2.8.92.8.9
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.