CVE-2024-9538: 
WordPress vulnerability analysis and mitigation

The ShopLentor plugin for WordPress (CVE-2024-9538) contains a Sensitive Information Exposure vulnerability affecting all versions up to and including 2.9.8. The vulnerability was discovered by researcher Ankit Patel and was publicly disclosed on October 10, 2024. This security issue specifically affects the 'render' function in the includes/addons/wl_faq.php file of the plugin (NVD, Wordfence Intel).

The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor). It has received a CVSS v3.1 Base Score of 4.3 (Medium) with the following vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. This indicates that the vulnerability requires network access, has low attack complexity, requires low privileges, needs no user interaction, has unchanged scope, and can impact confidentiality but not integrity or availability (NVD).

The vulnerability allows authenticated attackers with Contributor-level access or higher to extract sensitive private, pending, and draft Elementor template data from the WordPress installation (NVD).

A fix has been implemented as evidenced by the WordPress plugin repository changelog (WordPress Plugin). Users should update to a version newer than 2.9.8 to mitigate this vulnerability.