Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.4
ShopLentor WordPress Plugin Allows Attacker-Added Scripts to Run
CVE-2026-4059
Summary
The ShopLentor WordPress plugin has a security weakness that allows an attacker with administrative access to inject malicious code into a website. This could allow the attacker to perform unauthorized actions on the site. To fix this, update the ShopLentor plugin to the latest version or remove it if it's not essential to your website.
Original title
The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentor_quickview_button shortcode's button_text attribute in all versions up to, and including, 3.3.5. Th...
Original description
The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentor_quickview_button shortcode's button_text attribute in all versions up to, and including, 3.3.5. This is due to insufficient input sanitization and missing output escaping on user-supplied shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
nvd CVSS3.1
6.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.4/includes/...
- https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.4/includes/...
- https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/includes/modul...
- https://plugins.trac.wordpress.org/changeset/3493664/woolentor-addons/trunk/incl...
- https://plugins.trac.wordpress.org/changeset?old_path=%2Fwoolentor-addons/tags/3...
- https://ti.wordfence.io/vendors/patch/1796/download
- https://www.wordfence.com/threat-intel/vulnerabilities/id/fdf0b13e-154c-4007-bfc...
Published: 14 Apr 2026 · Updated: 14 Apr 2026 · First seen: 14 Apr 2026