CVE-2025-11823
📋 TL;DR
This stored XSS vulnerability in the ShopLentor WooCommerce Builder plugin allows authenticated attackers with Contributor access or higher to inject malicious scripts into WordPress pages. When users visit compromised pages, the scripts execute in their browsers, potentially stealing session cookies or performing unauthorized actions. All WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution
📦 What is this software?
Shoplentor by Hasthemes
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator session cookies, take over WordPress sites, deface websites, redirect users to malicious sites, or install backdoors for persistent access.
Likely Case
Attackers with contributor accounts inject malicious scripts to steal user session cookies, potentially compromising user accounts and performing unauthorized actions on the site.
If Mitigated
With proper input validation and output escaping, malicious scripts are neutralized before reaching users, preventing execution while maintaining functionality.
🎯 Exploit Status
Requires authenticated access (Contributor role or higher) and knowledge of WordPress shortcode usage.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version 3.2.5 or later
Vendor Advisory: https://wordpress.org/plugins/woolentor-addons/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'ShopLentor – WooCommerce Builder' plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 3.2.5+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable shortcode
allRemove or disable the wishsuite_button shortcode functionality to prevent exploitation
Edit theme files to remove [wishsuite_button] shortcode usage
Restrict user roles
allTemporarily remove Contributor role access or implement stricter role-based access controls
Use WordPress role management plugins to restrict shortcode editing capabilities
🧯 If You Can't Patch
- Implement Web Application Firewall (WAF) rules to block XSS payloads in button_exist_text parameter
- Regularly audit user-generated content and shortcode usage for malicious scripts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins for ShopLentor plugin version 3.2.4 or earlierCheck Version:
wp plugin list --name=woolentor-addons --field=versionVerify Fix Applied:
Verify plugin version is 3.2.5 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual shortcode modifications in post/page revisions
- Multiple failed login attempts followed by successful Contributor-level login
- POST requests containing suspicious script tags in button_exist_text parameter
Network Indicators:
- Unusual outbound connections from WordPress site after page visits
- Suspicious JavaScript loading from unexpected sources
SIEM Query:
source="wordpress.log" AND ("wishsuite_button" OR "button_exist_text") AND ("script" OR "javascript:" OR "onload=" OR "onerror=")🔗 References
- https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.2.2/includes/modules/wishlist/includes/classes/Frontend/Shortcode.php#L107
- https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.2.2/includes/modules/wishlist/includes/templates/wishsuite-button-exist.php#L1
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2d45afd4-9a1f-402c-86e3-8e3d6d7178d3?source=cve
