We’re actively acquiring WordPress agencies. Sell your WordPress business to Freshy.
Let’s discuss

WordPress Security Bulletin: The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (CVE-2026-1714)

Nick Paliughi
On this page

Security Alert Summary

The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin for WordPress contains an Email Relay Abuse vulnerability that allows unauthenticated attackers to send arbitrary email messages via the site. The issue exists in an AJAX endpoint that does not validate several input parameters, enabling control over recipients, subject, message content, and the sender address (including CRLF injection in the sender field).

CVE Details

  • CVE ID: CVE-2026-1714
  • Affected component: The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin for WordPress
  • Affected versions: All versions up to, and including, 3.3.2
  • Published: February 18, 2026 at 05:16:27 AM UTC
  • Last modified: February 18, 2026 at 05:16:27 AM UTC
  • CVSS v3.1: Base Score 8.6, Severity: HIGH, Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N
  • Authentication / Privileges / User Interaction: Authentication: none required; Privileges required: none; User interaction: none
  • Primary impact: Confidentiality: None; Integrity: High; Availability: None
  • CWE / weakness ID: CWE-93

Technical Details

The vulnerability is an Email Relay Abuse issue in the plugin’s AJAX handler. The woolentor_suggest_price_action AJAX endpoint fails to validate input for the parameters send_to, product_title, wlmessage, and wlemail. Because these parameters are not properly validated or sanitized, an unauthenticated attacker can supply arbitrary values for recipient addresses, subject lines, and message bodies.

The report additionally notes that the wlemail parameter is susceptible to CRLF injection, which allows an attacker to manipulate the sender address header. Combined, these issues enable the site to be used as a full email relay for sending spam or phishing messages with attacker-controlled sender, subject, and content.

How This Could Impact Your Website

In a typical small business WordPress site, this vulnerability could be abused by an external attacker to send large volumes of email appearing to come from your domain. For example, an attacker could use the site to send phishing messages to customers and partners, impersonating a site owner or staff member. Internal staff and external contractors who receive such messages may be more likely to follow phishing links or disclose credentials if the messages appear to come from legitimate addresses on your domain.

Practical consequences include exposure of internal or customer email addresses (if used as recipients), increased risk of targeted phishing against staff or customers, and reputational damage if your domain is used to distribute unwanted or malicious email. If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.

Recommended Actions

  • Update the affected plugin as soon as a patched version is available (fixed version is not specified in the CVE entry).
  • Review and reduce unnecessary user roles, especially contributor-level or other roles that allow form/email features.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and outgoing mail logs for unusual behavior or unexpected volume.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

Nick Paliughihttps://freshysites.com/team/nick-paliughi/
Nick was born in California and now resides in Lake Worth, FL. He has 10 years of experience building and maintaining sites in WordPress, which he is excited to put to use at Freshy. Prior to starting at Freshy in 2022 his focus was on WordPress security & malware removal. When he’s not tending to your website, Nick is installing exhibitions at art galleries and museums in Palm Beach County, and if he’s lucky surfing at the Lake Worth pier.

See our featured website design work

Check out some of the beautiful websites we’ve built for over 2,000 clients.

View projects

We offer WordPress support & maintenance

Shake the stress of ongoing maintenance with plans supported by our team of WordPress experts.

Learn more
Previous Post
WordPress Security Bulletin: VK All in One Expansion Unit Plugin Vulnerability (CVE-2025-11737)
Next Post
WordPress Security Bulletin: The Popup Box 6 Easily Create WordPress Popups Plugin Vulnerability (CVE-2025-12122)