Attack Vectors

CVE-2026-1714 affects the WordPress plugin ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin (slug: woolentor-addons) in versions up to and including 3.3.2. The vulnerability is rated High severity (CVSS 8.6).

The primary attack vector is remote and unauthenticated: an attacker can abuse the plugin’s “woolentor_suggest_price_action” AJAX action to trigger emails without needing a login. Because key input fields are not properly validated, an attacker can direct messages to arbitrary recipients and control the subject and content, turning your site into an email relay.

From a business perspective, this is attractive to attackers because it can be executed at scale (no user interaction required) and can be used to send spam, phishing, or brand-impersonation emails that appear connected to your organization.

Security Weakness

The weakness is insufficient validation of multiple parameters (send_to, product_title, wlmessage, and wlemail) submitted to the woolentor_suggest_price_action AJAX endpoint. This lack of validation enables email relay abuse, including control over message content and recipient.

According to the published advisory, the wlemail parameter can be leveraged to influence the sender address through CRLF injection, which increases the risk of convincing spoofed communications and reduces deliverability trust for legitimate business email.

Remediation is straightforward and time-sensitive: update ShopLentor to 3.3.3 or a newer patched version.

Technical or Business Impacts

Brand and customer trust risk: Attackers can send convincing emails that reference your store or products, increasing the likelihood customers will blame your organization for phishing, scams, or unwanted messages.

Email deliverability and revenue impact: If your domain or infrastructure is associated with spam activity, you may see reduced deliverability for legitimate marketing and transactional emails (order confirmations, password resets, newsletters), directly impacting customer experience and sales.

Compliance and reporting exposure: Abuse of your web property to distribute malicious or deceptive messages can trigger internal incident response, vendor escalations, and potential notification obligations depending on your industry and policies—even if no customer data is exfiltrated.

Operational disruption: Marketing, support, and compliance teams may face increased tickets, chargebacks, and reputational cleanup if customers receive fraudulent messages tied to your brand.

Similar Attacks

Email abuse and relay-style vulnerabilities are commonly used to distribute phishing at scale and to exploit trust in well-known brands. Recent real-world examples include phishing campaigns impersonating trusted services and platforms:

Microsoft: Midnight Blizzard targeting corporate email accounts (security blog)

CISA Alert: Ongoing malicious activity targeting Outlook/Exchange/Microsoft 365

Google Threat Analysis Group: reports on phishing and abuse campaigns