Description
The ShopLentor - WooCommerce Builder for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blockUniqId' block attribute in multiple Product Gride blocks in versions up to, and including, 3.3.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in the ShopLentor plugin for WordPress and is triggered by the 'blockUniqId' attribute within multiple Product Grid blocks. Because the plugin fails to sanitize or escape the attribute value, an attacker can insert JavaScript code that will be served to any visitor who views the affected page. This amounts to a stored cross‑site scripting flaw that can be leveraged by authenticated contributors or higher roles.

Affected Systems

Affected product is the ShopLentor – All‑in‑One WooCommerce Growth & Store Enhancement Plugin developed by devitemsllc. Versions 3.3.8 and earlier are impacted; any site running those releases should check the installed version and note that the issue is resolved in later releases.

Risk and Exploitability

The CVSS score of 5.4 indicates moderate severity. No EPSS data is available and the vulnerability is not listed in CISA KEV, suggesting limited public exploitation data. Because the flaw requires valid contributor or higher credentials, the attack surface is limited to users with edit permissions, but once injected the malicious script runs in the browser context of every visitor to the maliciously modified page.

Generated by OpenCVE AI on May 27, 2026 at 06:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ShopLentor to the latest version that includes the security fix.
  • If an upgrade is not immediately feasible, restrict contributor‑level access or disable the ability to edit Product Grid blocks to eliminate the attack vector.
  • Implement a server‑side filter that removes or sanitizes the blockUniqId attribute from any product grid content before it is stored or displayed, ensuring that no unsanitized JavaScript is rendered.

Generated by OpenCVE AI on May 27, 2026 at 06:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared Devitemsllc
Devitemsllc shoplentor – All-in-one Woocommerce Growth & Store Enhancement Plugin
Wordpress
Wordpress wordpress
Vendors & Products Devitemsllc
Devitemsllc shoplentor – All-in-one Woocommerce Growth & Store Enhancement Plugin
Wordpress
Wordpress wordpress

Wed, 27 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description The ShopLentor - WooCommerce Builder for Elementor & Gutenberg plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'blockUniqId' block attribute in multiple Product Gride blocks in versions up to, and including, 3.3.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title ShopLentor - WooCommerce Builder for Elementor & Gutenberg <= 3.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Product Grid 'blockUniqId' Block Attribute
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Devitemsllc Shoplentor – All-in-one Woocommerce Growth & Store Enhancement Plugin
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:40:57.768Z

Reserved: 2026-04-14T16:14:58.182Z

Link: CVE-2026-6287

cve-icon Vulnrichment

Updated: 2026-05-27T10:40:52.605Z

cve-icon NVD

Status : Deferred

Published: 2026-05-27T05:16:22.660

Modified: 2026-05-27T14:50:47.627

Link: CVE-2026-6287

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T06:30:06Z

Weaknesses