CVE-2026-1714

ShopLentor <= 3.3.2 - Unauthenticated Email Relay Abuse via 'woolentor_suggest_price_action' AJAX Action

highImproper Neutralization of CRLF Sequences ('CRLF Injection')

8.6

CVSS Score

8.6

CVSS Score

high

Severity

3.3.3

Patched in

Time to patch

Description

The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin for WordPress is vulnerable to Email Relay Abuse in all versions up to, and including, 3.3.2. This is due to the lack of validation on the 'send_to', 'product_title', 'wlmessage', and 'wlemail' parameters in the 'woolentor_suggest_price_action' AJAX endpoint. This makes it possible for unauthenticated attackers to send arbitrary emails to any recipient with full control over the subject line, message content, and sender address (via CRLF injection in the 'wlemail' parameter), effectively turning the website into a full email relay for spam or phishing campaigns.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Changed

None

Confidentiality

High

Integrity

None

Availability

Technical Details

Affected versions<=3.3.2

PublishedFebruary 17, 2026

Last updatedFebruary 25, 2026

Affected pluginwoolentor-addons

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/cf326914-6a38-4984-a2a7-66e05f41a96b?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database