CVE-2026-1714
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
Lifecycle Timeline
2Tags
Description
The ShopLentor - WooCommerce Builder for Elementor & Gutenberg +21 Modules - All in One Solution plugin for WordPress is vulnerable to Email Relay Abuse in all versions up to, and including, 3.3.2. This is due to the lack of validation on the 'send_to', 'product_title', 'wlmessage', and 'wlemail' parameters in the 'woolentor_suggest_price_action' AJAX endpoint. This makes it possible for unauthenticated attackers to send arbitrary emails to any recipient with full control over the subject line, message content, and sender address (via CRLF injection in the 'wlemail' parameter), effectively turning the website into a full email relay for spam or phishing campaigns.
Analysis
Unauthenticated attackers can abuse the ShopLentor plugin for WordPress (versions up to 3.3.2) to send arbitrary emails through affected websites due to insufficient input validation in an AJAX endpoint, allowing them to conduct spam and phishing campaigns with full control over recipient addresses, subject lines, and message content. The vulnerability requires no user interaction and affects all installations of the vulnerable plugin. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all WordPress installations to identify ShopLentor plugin usage and document affected systems. Within 7 days: Implement compensating controls such as disabling the plugin or restricting access to administrative functions via WAF rules, and contact the vendor for patch timeline. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today