Description
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin for WordPress is vulnerable to Email Relay Abuse in all versions up to, and including, 3.3.2. This is due to the lack of validation on the 'send_to', 'product_title', 'wlmessage', and 'wlemail' parameters in the 'woolentor_suggest_price_action' AJAX endpoint. This makes it possible for unauthenticated attackers to send arbitrary emails to any recipient with full control over the subject line, message content, and sender address (via CRLF injection in the 'wlemail' parameter), effectively turning the website into a full email relay for spam or phishing campaigns.
Published: 2026-02-18
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthenticated Email Relay Abuse
Action: Patch Immediately
AI Analysis

Impact

The ShopLentor WooCommerce Builder for Elementor & Gutenberg plugin is vulnerable to an unauthenticated email relay abuse in all releases up to 3.3.2 due to missing validation on the send_to, product_title, wlmessage, and wlemail parameters within the woolentor_suggest_price_action AJAX endpoint, which allows an attacker to inject CRLF sequences in wlemail to forge arbitrary From headers, control subject and body, therefore turning the WordPress site into a full email relay for spam or phishing campaigns.

Affected Systems

The flaw affects the devitemsllc:ShopLentor All-in-One WooCommerce Growth & Store Enhancement Plugin for WordPress in versions 3.3.2 and earlier, located in the class.ajax_actions.php file’s woolentor_suggest_price_action action; users on these releases should upgrade promptly.

Risk and Exploitability

With a CVSS score of 8.6 and an EPSS score less than 1%, the vulnerability is high severity yet low exploitation probability; the attack can be performed remotely without authentication by sending a crafted POST request to wp-admin/admin-ajax.php?action=woolentor_suggest_price_action, making rapid remediation critical to prevent mass email abuse.

Generated by OpenCVE AI on April 15, 2026 at 17:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ShopLentor to the latest version (≥3.3.3) which removes the missing validation on the woolentor_suggest_price_action endpoint.
  • If an immediate update is not possible, block unauthenticated HTTP POST requests to wp-admin/admin-ajax.php?action=woolentor_suggest_price_action using a Web Application Firewall or by disabling the action in code.
  • Restrict or disable the site’s mail‑sending capability for unauthenticated users, or configure a mail relay that blocks spoofed sender addresses, to prevent the abused plugin from functioning as an email relay.

Generated by OpenCVE AI on April 15, 2026 at 17:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Devitemsllc
Devitemsllc shoplentor – All-in-one Woocommerce Growth & Store Enhancement Plugin
Wordpress
Wordpress wordpress
Vendors & Products Devitemsllc
Devitemsllc shoplentor – All-in-one Woocommerce Growth & Store Enhancement Plugin
Wordpress
Wordpress wordpress

Wed, 18 Feb 2026 05:00:00 +0000

Type Values Removed Values Added
Description The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin for WordPress is vulnerable to Email Relay Abuse in all versions up to, and including, 3.3.2. This is due to the lack of validation on the 'send_to', 'product_title', 'wlmessage', and 'wlemail' parameters in the 'woolentor_suggest_price_action' AJAX endpoint. This makes it possible for unauthenticated attackers to send arbitrary emails to any recipient with full control over the subject line, message content, and sender address (via CRLF injection in the 'wlemail' parameter), effectively turning the website into a full email relay for spam or phishing campaigns.
Title ShopLentor <= 3.3.2 - Unauthenticated Email Relay Abuse via 'woolentor_suggest_price_action' AJAX Action
Weaknesses CWE-93
References
Metrics cvssV3_1

{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N'}

Subscriptions

Devitemsllc Shoplentor – All-in-one Woocommerce Growth & Store Enhancement Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:37.106Z

Reserved: 2026-01-30T18:56:14.509Z

Link: CVE-2026-1714

cve-icon Vulnrichment

Updated: 2026-02-18T12:26:33.080Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T05:16:27.327

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1714

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:30:10Z

Weaknesses