プラットフォーム
wordpress
コンポーネント
woolentor-addons
修正版
3.3.6
3.3.6
This vulnerability in PocketMine-MP arises when an entity, such as a player or mob, is marked for despawn but remains accessible through the server's entity table. This can lead to an attacker exploiting the entity even after it's supposed to be removed, potentially allowing for unauthorized actions or manipulation. The issue affects PocketMine-MP versions up to 5.9.0, and a patch is available in version 5.39.2.
CVE-2026-4059 affects the ShopLentor plugin for WordPress, enabling a stored Cross-Site Scripting (XSS) vulnerability. The issue lies within the 'buttontext' attribute of the 'woolentorquickview_button' shortcode. Due to insufficient input sanitization and missing output escaping, an authenticated attacker with Contributor-level access or higher can inject malicious JavaScript code into pages. This code will execute whenever a user accesses the injected page, potentially leading to cookie theft, redirection to malicious websites, or page content manipulation. The vulnerability's severity is rated 6.4 on the CVSS scale, indicating a moderate-high risk. Updating the plugin to version 3.3.6 or later is crucial to mitigate this risk.
An attacker with Contributor or higher privileges on a WordPress site using the ShopLentor plugin can exploit this vulnerability. The attacker can inject malicious JavaScript code into the 'buttontext' attribute of the 'woolentorquickview_button' shortcode. This code will be stored in the database and executed every time a user accesses the page containing the modified shortcode. Exploitation requires authenticated access, but does not require administrator privileges. The ease of exploitation is relatively high due to the availability of tools and techniques to inject JavaScript code into shortcodes.
エクスプロイト状況
EPSS
0.04% (12% パーセンタイル)
CISA SSVC
CVSS ベクトル
The solution for CVE-2026-4059 is to update the ShopLentor plugin to version 3.3.6 or a later version. This update includes the necessary fixes to properly sanitize the input of the 'button_text' attribute and escape the output, preventing the injection of malicious code. In the meantime, as a preventative measure, restrict page editing access to users with minimal privileges. Additionally, enable a WordPress security plugin that offers protection against XSS. Regularly back up your website to be able to restore it in case of an attack. Monitor your website logs for suspicious activity.
Update to version 3.3.6, or a newer patched version
脆弱性分析と重要アラートをメールでお届けします。
XSS (Cross-Site Scripting) is a type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
In WordPress, the 'Contributor' role has limited permissions to edit content, but not to install plugins or change site settings.
In the WordPress admin panel, go to Plugins and look for ShopLentor. The version will be displayed below the plugin name.
If you suspect your site has been compromised, immediately change all administrator passwords, scan your site for malware, and restore your site from a clean backup.
Besides updating the plugin, consider using a WordPress security plugin, implementing a web application firewall (WAF), and enabling two-factor authentication for all user accounts.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。