ShopLentor Plugin Can Be Used to Send Spam Emails

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.6

ShopLentor Plugin Can Be Used to Send Spam Emails

CVE-2026-1714

Summary

A security issue in the ShopLentor plugin for WordPress allows unauthenticated attackers to send emails to any recipient using the plugin's functionality. This could be used for spam or phishing campaigns. Update the plugin to a version newer than 3.3.2 to fix the issue.

Original title

Original description

The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin for WordPress is vulnerable to Email Relay Abuse in all versions up to, and including, 3.3.2. This is due to the lack of validation on the 'send_to', 'product_title', 'wlmessage', and 'wlemail' parameters in the 'woolentor_suggest_price_action' AJAX endpoint. This makes it possible for unauthenticated attackers to send arbitrary emails to any recipient with full control over the subject line, message content, and sender address (via CRLF injection in the 'wlemail' parameter), effectively turning the website into a full email relay for spam or phishing campaigns.

nvd CVSS3.1 8.6

Vulnerability type

CWE-93

Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026