CVE-2026-1714 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2026-1714?

CVE-2026-1714 has a CVSS score of 8.6 (HIGH). This vulnerability allows unauthenticated attackers to abuse the ShopLentor WordPress plugin as an email relay. Attackers can send arbitrary emails with controlled content, subject lines, and sender addresses, potentially enabling spam or phishing campaigns. All WordPress sites using vulnerable versions of the ShopLentor plugin are affected.

📋 TL;DR

This vulnerability allows unauthenticated attackers to abuse the ShopLentor WordPress plugin as an email relay. Attackers can send arbitrary emails with controlled content, subject lines, and sender addresses, potentially enabling spam or phishing campaigns. All WordPress sites using vulnerable versions of the ShopLentor plugin are affected.

💻 Affected Systems

Products:

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution WordPress plugin

Versions: All versions up to and including 3.3.2

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default plugin configuration. No special configuration required for exploitation.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Website becomes a full email relay for large-scale spam/phishing campaigns, leading to domain/IP blacklisting, legal liability, and reputational damage.

🟠

Likely Case

Attackers send phishing emails or spam from the vulnerable website, potentially compromising recipients and causing email deliverability issues.

🟢

If Mitigated

With proper email security controls and monitoring, impact is limited to potential abuse detection and minor reputation damage.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP POST request to vulnerable endpoint with crafted parameters. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.3.3 or later

Vendor Advisory: https://wordpress.org/plugins/woolentor-addons/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find ShopLentor plugin. 4. Click 'Update Now' if update available. 5. Alternatively, download version 3.3.3+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable vulnerable AJAX endpoint

all

Remove or restrict access to the 'woolentor_suggest_price_action' AJAX endpoint

Add to theme's functions.php or custom plugin: remove_action('wp_ajax_nopriv_woolentor_suggest_price_action', 'woolentor_suggest_price_action');
Add to .htaccess if using Apache: RewriteRule ^wp-admin/admin-ajax\.php\?action=woolentor_suggest_price_action - [F,L]

Disable plugin

linux

Temporarily disable ShopLentor plugin until patched

wp plugin deactivate woolentor-addons

🧯 If You Can't Patch

Implement WAF rules to block requests to the vulnerable AJAX endpoint with suspicious email parameters
Monitor and rate-limit email sending from the web server

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → Installed Plugins for ShopLentor version. If version ≤ 3.3.2, vulnerable.

Check Version:

wp plugin get woolentor-addons --field=version

Verify Fix Applied:

Verify plugin version is 3.3.3 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin-ajax.php with action=woolentor_suggest_price_action
Spike in email sending from web server
HTTP 200 responses to AJAX requests with email-related parameters

Network Indicators:

Outbound SMTP traffic from web server with unusual patterns
HTTP POST requests to admin-ajax.php with crafted email headers

SIEM Query:

source="web_server_logs" AND uri="/wp-admin/admin-ajax.php" AND query="action=woolentor_suggest_price_action" AND (user_agent NOT CONTAINS "WordPress" OR referrer="-")

📊 Metadata

CVE ID: CVE-2026-1714

CVSS v3 Score: 8.6 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N

CWE: CWE-93

Published: February 18, 2026

Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-1714, you might also want to check these: