CVE-2026-1714 HIGH

CVE-2026-1714: ShopLentor <= 3.3.2 - Unauthenticated Email Relay Abuse via 'woolentor_suggest_price_action' AJAX Action

Vendor Devitemsllc
Product ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin
Weakness CWE-93 · CRLF injection
Published February 18, 2026
Last update April 8, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

What the vulnerability does

01Description

The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin for WordPress is vulnerable to Email Relay Abuse in all versions up to, and including, 3.3.2. This is due to the lack of validation on the 'send_to', 'product_title', 'wlmessage', and 'wlemail' parameters in the 'woolentor_suggest_price_action' AJAX endpoint. This makes it possible for unauthenticated attackers to send arbitrary emails to any recipient with full control over the subject line, message content, and sender address (via CRLF injection in the 'wlemail' parameter), effectively turning the website into a full email relay for spam or phishing campaigns.

Explanation of Vulnerability in Simple Terms

02Summary

ShopLentor versions up to 3.3.2 contain an input validation flaw that allows unauthenticated attackers to modify site content or functionality across the WooCommerce store. The vulnerability requires no user interaction and can be exploited remotely. Site owners should update immediately to a version newer than 3.3.2.

What an attacker can do

03Attacker Capabilities

Modify or inject malicious content into the WooCommerce store without authentication.

Potential impact on your site

04Site Impact

Attackers can deface your store, inject malware, or alter product/pricing information without your knowledge.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

February 18, 2026 CVE published
April 8, 2026 Record updated