A critical vulnerability has been identified in the ShopLentor WordPress plugin, which could allow an unauthenticated attacker to read sensitive files from the underlying server. Successful exploitation of this flaw could lead to the theft of confidential data, such as database credentials and system configuration files, potentially resulting in a complete compromise of the affected website and server.

The vulnerability is a Local File Inclusion (LFI) flaw within "The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution" plugin. Due to insufficient input validation on a parameter used to include files, a remote, unauthenticated attacker can manipulate the input to include arbitrary files from the server's local filesystem. An attacker can exploit this by sending a specially crafted web request containing directory traversal sequences (e.g., ../../..) to navigate outside the intended directory and access sensitive files like wp-config.php (containing database credentials) or /etc/passwd.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Exploitation could have a severe and direct impact on business operations. An attacker could gain access to sensitive customer data, intellectual property, and critical system credentials, leading to a significant data breach. The consequences include financial loss from remediation efforts and potential regulatory fines (e.g., GDPR, PCI-DSS), severe reputational damage, and loss of customer trust. A full server compromise could also lead to extended downtime and disruption of e-commerce services.

Immediate Action: Immediately update The ShopLentor plugin to the latest version provided by the vendor to patch the vulnerability. After patching, review web server access logs and system logs for any signs of exploitation that may have occurred prior to the update.

Proactive Monitoring:

• Log Analysis: Continuously monitor web server (e.g., Apache, Nginx) access logs for suspicious requests containing directory traversal patterns such as ../, ..%2f, or absolute file paths targeting the plugin's endpoints.
• File Integrity Monitoring (FIM): Implement FIM on critical system and application files, including wp-config.php, to alert on any unauthorized modifications.
• Network Traffic: Monitor for unusual outbound connections from the web server, which could indicate data exfiltration or a reverse shell established by an attacker.

Compensating Controls:

• Web Application Firewall (WAF): If immediate patching is not possible, deploy a WAF with rulesets designed to block LFI and directory traversal attack patterns.
• Least Privilege: Ensure the web server user account has the minimum necessary file permissions, restricting its ability to read sensitive files outside of the web root.
• Disable Plugin: If the plugin is not essential and cannot be patched, disable and uninstall it until a secure version can be deployed.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this unauthenticated Local File Inclusion vulnerability, organizations using the affected ShopLentor plugin are strongly advised to apply the security update provided by the vendor immediately. This vulnerability poses a significant risk of a full system compromise. Although not currently listed on the CISA KEV list, its high score makes it a prime candidate for future inclusion. Prioritize patching on all internet-facing systems and implement the recommended monitoring and compensating controls to mitigate risk and detect potential compromise.