CVE-2023-6327 – The ShopLentor (formerly WooLentor) WordPress p... (How to Fix)

📋 TL;DR

The ShopLentor (formerly WooLentor) WordPress plugin has an authorization bypass vulnerability that allows unauthenticated attackers to view all products purchased in the past week along with purchaser information. This affects all WordPress sites using ShopLentor versions up to 2.8.7. The vulnerability stems from missing capability checks in the purchased_new_products function.

💻 Affected Systems

Products:

ShopLentor (formerly WooLentor) WordPress plugin

Versions: All versions up to and including 2.8.7

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with the ShopLentor plugin installed and active.

📦 What is this software?

Shoplentor by Hasthemes

View all CVEs affecting Shoplentor →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could harvest customer purchase history, identify high-value customers, and potentially correlate purchase data with other information for targeted attacks or social engineering.

🟠

Likely Case

Unauthenticated attackers accessing recent purchase data including product names and customer information, potentially violating privacy regulations like GDPR.

🟢

If Mitigated

Limited to viewing purchase data from the past week only, no ability to modify data or access other sensitive information.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit as it requires no authentication and the endpoint is publicly accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.8.8

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3080097/woolentor-addons/trunk/includes/modules/sales-notification/class.sale_notification.php

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find ShopLentor plugin
4. Click 'Update Now' if update is available
5. Alternatively, download version 2.8.8+ from WordPress repository and manually update

🔧 Temporary Workarounds

Disable ShopLentor Plugin

all

Temporarily deactivate the vulnerable plugin until patched

wp plugin deactivate woolentor-addons

Block Vulnerable Endpoint

linux

Use web application firewall or .htaccess to block access to the vulnerable endpoint

# Add to .htaccess:
RewriteCond %{REQUEST_URI} purchase.*notification [NC]
RewriteRule .* - [F,L]

🧯 If You Can't Patch

Implement network-level restrictions to block external access to WordPress admin and API endpoints
Enable WordPress security plugins with intrusion detection and file integrity monitoring

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for ShopLentor version. If version is 2.8.7 or lower, you are vulnerable.

Check Version:

wp plugin get woolentor-addons --field=version

Verify Fix Applied:

After updating, verify plugin version shows 2.8.8 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual access patterns to /wp-admin/admin-ajax.php with action=purchase_notification
Multiple requests from single IPs to sales notification endpoints

Network Indicators:

HTTP POST requests to admin-ajax.php with 'action=purchase_notification' parameter from unauthenticated sources

SIEM Query:

source="wordpress.log" AND (uri_path="/wp-admin/admin-ajax.php" AND query_string="*action=purchase_notification*")

📊 Metadata

CVE ID: CVE-2023-6327

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-862

Published: May 14, 2024

Last Updated: November 25, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-6327, you might also want to check these: