{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11823", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-15T17:55:27.963Z", "datePublished": "2025-10-25T04:22:44.973Z", "dateUpdated": "2026-04-08T16:44:09.355Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:09.355Z"}, "affected": [{"vendor": "devitemsllc", "product": "ShopLentor \u2013 All-in-One WooCommerce Growth & Store Enhancement Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.2.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ShopLentor \u2013 WooCommerce Builder for Elementor & Gutenberg +21 Modules \u2013 All in One Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_exist_text' parameter in the 'wishsuite_button' shortcode in all versions up to, and including, 3.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "ShopLentor \u2013 WooCommerce Builder for Elementor & Gutenberg +21 Modules \u2013 All in One Solution <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d45afd4-9a1f-402c-86e3-8e3d6d7178d3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.2.2/includes/modules/wishlist/includes/templates/wishsuite-button-exist.php#L1"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.2.2/includes/modules/wishlist/includes/classes/Frontend/Shortcode.php#L107"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)", "cweId": "CWE-80", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "timeline": [{"time": "2025-10-15T18:10:56.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-10-24T15:45:09.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-27T15:25:59.055549Z", "id": "CVE-2025-11823", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:57:18.537Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11823", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-10-27T15:25:59.055549Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-27T15:26:05.643Z"}}], "cna": {"title": "ShopLentor \u2013 WooCommerce Builder for Elementor & Gutenberg +21 Modules \u2013 All in One Solution <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "devitemsllc", "product": "ShopLentor \u2013 All-in-One WooCommerce Growth & Store Enhancement Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.2.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-15T18:10:56.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-10-24T15:45:09.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d45afd4-9a1f-402c-86e3-8e3d6d7178d3?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.2.2/includes/modules/wishlist/includes/templates/wishsuite-button-exist.php#L1"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.2.2/includes/modules/wishlist/includes/classes/Frontend/Shortcode.php#L107"}], "descriptions": [{"lang": "en", "value": "The ShopLentor \u2013 WooCommerce Builder for Elementor & Gutenberg +21 Modules \u2013 All in One Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_exist_text' parameter in the 'wishsuite_button' shortcode in all versions up to, and including, 3.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-80", "description": "CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:44:09.355Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11823", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:44:09.355Z", "dateReserved": "2025-10-15T17:55:27.963Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-25T04:22:44.973Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hasthemes:shoplentor:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "DDCB2283-E0CB-469E-8F77-C16D838382FB", "versionEndExcluding": "3.2.5", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The ShopLentor \u2013 WooCommerce Builder for Elementor & Gutenberg +21 Modules \u2013 All in One Solution plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_exist_text' parameter in the 'wishsuite_button' shortcode in all versions up to, and including, 3.2.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2025-11823", "lastModified": "2025-11-26T14:42:57.883", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-10-25T05:15:36.817", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.2.2/includes/modules/wishlist/includes/classes/Frontend/Shortcode.php#L107"}, {"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.2.2/includes/modules/wishlist/includes/templates/wishsuite-button-exist.php#L1"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d45afd4-9a1f-402c-86e3-8e3d6d7178d3?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-80"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T21:53:44.035877+00:00", "value": {"mitigation_remediation": ["Upgrade to ShopLentor version 3.2.5 or later, which contains the vendor\u2019s fix for the shortcode sanitization issue", "If an immediate upgrade is not possible, remove or restrict Contributor\u2011level users\u2019 ability to edit the wished suite module and disable the contentious shortcode from the page templates", "As a temporary containment measure, sanitize the \u2018button_exist_text\u2019 attribute on the site by applying a custom output filter or by manually removing the problematic shortcode from all affected pages"], "summary": {"action": "Apply Patch", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All WordPress sites running the \"ShopLentor \u2013 All-in-One WooCommerce Growth & Store Enhancement Plugin\" advertising plugin up to and including version 3.2.4 are affected. The vendor is DevItemsLLC. The issue exists specifically in the wishlist module that renders the wishsuite button via the problematic shortcode.", "description_and_impact": "The ShopLentor plugin for WordPress is vulnerable to a stored Cross\u2011Site Scripting flaw, triggered by the \u2018button_exist_text\u2019 parameter in the \u2018wishsuite_button\u2019 shortcode. The input is not sanitized or escaped, enabling an authenticated attacker with Contributor or higher access to embed arbitrary JavaScript that will run whenever any user views the affected page. This flaw allows the attacker to execute code with the victim\u2019s user context, leading to session hijacking, data theft, or defacement.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, while the EPSS score of < 1% suggests a low probability of exploitation in the wild. The flaw is not listed in the CISA KEV catalog, implying that it has not yet been widely leveraged by known threat actors. Exploitation requires valid Contributor\u2011level credentials, so any site using such roles is at risk. Once authenticated, an attacker can inject arbitrary scripts that will execute for all users who view the payload page, potentially compromising user accounts or site integrity."}}}}, "created": "2025-10-27T22:10:25.855331+00:00", "updated": "2026-04-22T22:00:18.080224+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}