CVE-2023-6327
ShopLentor (formerly WooLentor) <= 2.8.7 - Missing Authorization via purchased_new_products
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The ShopLentor (formerly WooLentor) plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the purchased_new_products function in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to view all products purchased in the past week, along with the users that purchased them.
| CWE | CWE-862 |
| Vendor | devitemsllc |
| Product | shoplentor – all-in-one woocommerce growth & store enhancement plugin |
| Published | May 9, 2024 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for devitemsllc shoplentor – all-in-one woocommerce growth & store enhancement plugin
Be the first to know when new medium vulnerabilities affecting devitemsllc shoplentor – all-in-one woocommerce growth & store enhancement plugin are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
devitemsllc / ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin
0 ≤ 2.8.7
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/263324cb-31b7-40ad-ad7d-4582e128cd75?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/2.7.4/includes/modules/sales-notification/class.sale_notification.php plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3080097/woolentor-addons/trunk/includes/modules/sales-notification/class.sale_notification.php?contextall=1&old=3061864&old_path=%2Fwoolentor-addons%2Ftrunk%2Fincludes%2Fmodules%2Fsales-notification%2Fclass.sale_notification.php
Credits
Francesco Carlucci