CVE-2024-4566

Name of the Vulnerable Software and Affected Versions: ShopLentor plugin for WordPress versions up to, and including, 2.8.8

Description: The issue is related to a missing capability check on the ajax dismiss function, which allows authenticated attackers with contributor-level access and above to modify data by setting arbitrary WordPress options to "true". This can be exploited by attackers with subscriber- or customer-level access and above under certain conditions, such as when the WooCommerce plugin is deactivated or access to the default WordPress admin dashboard is explicitly enabled for authenticated users.

Recommendations: For versions up to, and including, 2.8.8, update to a version that includes a fix for this issue. As a temporary workaround, consider disabling the ajax dismiss function until a patch is available. Restrict access to the WordPress admin dashboard and ensure that the WooCommerce plugin is activated to minimize the risk of exploitation.