{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1714", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-30T18:56:14.509Z", "datePublished": "2026-02-18T04:35:45.965Z", "dateUpdated": "2026-02-18T12:53:49.971Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-18T04:35:45.965Z"}, "affected": [{"vendor": "devitemsllc", "product": "ShopLentor \u2013 All-in-One WooCommerce Growth & Store Enhancement Plugin", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "3.3.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ShopLentor \u2013 WooCommerce Builder for Elementor & Gutenberg +21 Modules \u2013 All in One Solution plugin for WordPress is vulnerable to Email Relay Abuse in all versions up to, and including, 3.3.2. This is due to the lack of validation on the 'send_to', 'product_title', 'wlmessage', and 'wlemail' parameters in the 'woolentor_suggest_price_action' AJAX endpoint. This makes it possible for unauthenticated attackers to send arbitrary emails to any recipient with full control over the subject line, message content, and sender address (via CRLF injection in the 'wlemail' parameter), effectively turning the website into a full email relay for spam or phishing campaigns."}], "title": "ShopLentor <= 3.3.2 - Unauthenticated Email Relay Abuse via 'woolentor_suggest_price_action' AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cf326914-6a38-4984-a2a7-66e05f41a96b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/classes/class.ajax_actions.php#L170"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.1/classes/class.ajax_actions.php#L170"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/classes/class.ajax_actions.php#L189"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.1/classes/class.ajax_actions.php#L189"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/classes/class.ajax_actions.php#L192"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.1/classes/class.ajax_actions.php#L192"}, {"url": "https://plugins.trac.wordpress.org/changeset/3461704/woolentor-addons/trunk/classes/class.ajax_actions.php?contextall=1"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')", "cweId": "CWE-93", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "baseScore": 8.6, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Teerachai Somprasong"}], "timeline": [{"time": "2026-01-30T19:11:54.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T16:06:59.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T12:26:32.188077Z", "id": "CVE-2026-1714", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:53:49.971Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1714", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T12:26:32.188077Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T12:26:33.080Z"}}], "cna": {"title": "ShopLentor <= 3.3.2 - Unauthenticated Email Relay Abuse via 'woolentor_suggest_price_action' AJAX Action", "credits": [{"lang": "en", "type": "finder", "value": "Teerachai Somprasong"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.6, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N"}}], "affected": [{"vendor": "devitemsllc", "product": "ShopLentor \u2013 All-in-One WooCommerce Growth & Store Enhancement Plugin", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "3.3.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-30T19:11:54.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T16:06:59.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cf326914-6a38-4984-a2a7-66e05f41a96b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/classes/class.ajax_actions.php#L170"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.1/classes/class.ajax_actions.php#L170"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/classes/class.ajax_actions.php#L189"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.1/classes/class.ajax_actions.php#L189"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/classes/class.ajax_actions.php#L192"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.1/classes/class.ajax_actions.php#L192"}, {"url": "https://plugins.trac.wordpress.org/changeset/3461704/woolentor-addons/trunk/classes/class.ajax_actions.php?contextall=1"}], "descriptions": [{"lang": "en", "value": "The ShopLentor \u2013 WooCommerce Builder for Elementor & Gutenberg +21 Modules \u2013 All in One Solution plugin for WordPress is vulnerable to Email Relay Abuse in all versions up to, and including, 3.3.2. This is due to the lack of validation on the 'send_to', 'product_title', 'wlmessage', and 'wlemail' parameters in the 'woolentor_suggest_price_action' AJAX endpoint. This makes it possible for unauthenticated attackers to send arbitrary emails to any recipient with full control over the subject line, message content, and sender address (via CRLF injection in the 'wlemail' parameter), effectively turning the website into a full email relay for spam or phishing campaigns."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-93", "description": "CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-18T04:35:45.965Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1714", "state": "PUBLISHED", "dateUpdated": "2026-02-18T12:53:49.971Z", "dateReserved": "2026-01-30T18:56:14.509Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T04:35:45.965Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ShopLentor \u2013 WooCommerce Builder for Elementor & Gutenberg +21 Modules \u2013 All in One Solution plugin for WordPress is vulnerable to Email Relay Abuse in all versions up to, and including, 3.3.2. This is due to the lack of validation on the 'send_to', 'product_title', 'wlmessage', and 'wlemail' parameters in the 'woolentor_suggest_price_action' AJAX endpoint. This makes it possible for unauthenticated attackers to send arbitrary emails to any recipient with full control over the subject line, message content, and sender address (via CRLF injection in the 'wlemail' parameter), effectively turning the website into a full email relay for spam or phishing campaigns."}], "id": "CVE-2026-1714", "lastModified": "2026-02-18T05:16:27.327", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.6, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.0, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-02-18T05:16:27.327", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.1/classes/class.ajax_actions.php#L170"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.1/classes/class.ajax_actions.php#L189"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.1/classes/class.ajax_actions.php#L192"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/classes/class.ajax_actions.php#L170"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/classes/class.ajax_actions.php#L189"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/classes/class.ajax_actions.php#L192"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3461704/woolentor-addons/trunk/classes/class.ajax_actions.php?contextall=1"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cf326914-6a38-4984-a2a7-66e05f41a96b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-93"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}