CVE-2026-1714 Overview
A critical Email Relay Abuse vulnerability has been identified in the ShopLentor – WooCommerce Builder for Elementor & Gutenberg plugin for WordPress. This vulnerability affects all versions up to and including 3.3.2, allowing unauthenticated attackers to exploit the plugin's AJAX endpoint to send arbitrary emails to any recipient. The flaw effectively transforms vulnerable WordPress installations into open email relays that can be leveraged for spam distribution or phishing campaigns.
Critical Impact
Unauthenticated attackers can weaponize affected WordPress sites as email relays for spam and phishing campaigns, with full control over sender address, subject line, and message content through CRLF injection.
Affected Products
- ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin versions up to and including 3.3.2
- WordPress sites running vulnerable versions of the woolentor-addons plugin
- WooCommerce stores utilizing the ShopLentor plugin's "Suggest Price" functionality
Discovery Timeline
- 2026-02-18 - CVE-2026-1714 published to NVD
- 2026-02-18 - Last updated in NVD database
Technical Details for CVE-2026-1714
Vulnerability Analysis
The vulnerability resides in the woolentor_suggest_price_action AJAX endpoint within the ShopLentor plugin. This endpoint is designed to allow customers to suggest prices for products, but it fails to implement proper input validation on several critical parameters. The affected parameters include send_to, product_title, wlmessage, and wlemail.
Because the endpoint is accessible without authentication (using the WordPress wp_ajax_nopriv_ hook), any unauthenticated user can invoke this functionality. The lack of sanitization allows attackers to control the email recipient, subject line, and body content. More critically, the wlemail parameter is vulnerable to CRLF (Carriage Return Line Feed) injection, which enables attackers to manipulate email headers and effectively spoof the sender address.
This combination of weaknesses means an attacker can craft malicious requests that send emails appearing to originate from the vulnerable website to any arbitrary recipient, making the WordPress installation function as an open email relay.
Root Cause
The root cause is classified as CWE-93 (Improper Neutralization of CRLF Sequences). The vulnerable code in class.ajax_actions.php directly uses user-supplied input for email parameters without proper validation or sanitization. Specifically:
- The send_to parameter is used directly as the recipient email address without verifying it belongs to an authorized domain or user
- The wlemail parameter is incorporated into email headers without stripping CRLF characters, enabling header injection
- The product_title and wlmessage parameters form the subject and body without content restrictions
- No nonce verification or capability checks are performed on the AJAX endpoint
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending crafted HTTP POST requests to the WordPress AJAX handler. The attack flow involves:
- The attacker identifies a WordPress site running a vulnerable ShopLentor version
- A POST request is crafted targeting /wp-admin/admin-ajax.php with action=woolentor_suggest_price_action
- The send_to parameter is set to the victim's email address
- The wlemail parameter includes CRLF sequences followed by additional headers like From: trusted@legitimate-domain.com
- Custom product_title and wlmessage values are provided to craft convincing phishing content
- The vulnerable site processes the request and sends the malicious email through its mail server
The vulnerability enables attackers to conduct phishing campaigns, distribute spam, and potentially damage the reputation of the compromised website's domain by getting it blacklisted by email providers. Detailed technical analysis is available in the Wordfence Vulnerability Analysis.
Detection Methods for CVE-2026-1714
Indicators of Compromise
- Unusual volume of POST requests to /wp-admin/admin-ajax.php with action=woolentor_suggest_price_action
- Email server logs showing unexpected outbound emails with varied recipients not associated with normal business operations
- Presence of CRLF sequences (%0d%0a or \r\n) in web server access logs within request parameters
- Reports from recipients or email services indicating spam/phishing originating from your domain
- Sudden increase in mail queue size or email sending rate from WordPress installation
Detection Strategies
- Implement web application firewall (WAF) rules to detect and block requests containing CRLF sequences in POST parameters
- Monitor Apache/Nginx access logs for high-frequency requests to the AJAX endpoint with the woolentor_suggest_price_action action
- Set up alerting on email server for unusual outbound email patterns or volume spikes
- Use SentinelOne's Singularity Platform to detect suspicious PHP process behavior and anomalous network activity from web server processes
Monitoring Recommendations
- Enable detailed logging for WordPress AJAX requests and review logs for exploitation attempts
- Configure email server monitoring to alert on messages with spoofed headers or unusual sender patterns
- Implement rate limiting on the WordPress AJAX endpoint to prevent automated exploitation
- Deploy SentinelOne agents on web servers to provide real-time behavioral analysis and threat detection
How to Mitigate CVE-2026-1714
Immediate Actions Required
- Update the ShopLentor plugin to a patched version immediately (versions after 3.3.2)
- If immediate update is not possible, disable the plugin temporarily until a fix can be applied
- Review email server logs for signs of prior exploitation and investigate any suspicious outbound mail activity
- Consider temporarily blocking access to the vulnerable AJAX action via .htaccess or web server configuration
- Notify your email service provider if you suspect the vulnerability has been exploited to prevent domain reputation damage
Patch Information
A security patch has been released addressing this vulnerability. The fix includes proper input validation for all affected parameters and implements sanitization to prevent CRLF injection. The WordPress Change Set #3461704 documents the code changes made to resolve this issue. Site administrators should update to the latest version of ShopLentor through the WordPress plugin update mechanism or by downloading directly from the WordPress plugin repository.
Workarounds
- Add web server rules to block requests to the AJAX endpoint containing the vulnerable action parameter
- Implement server-side email rate limiting to reduce the impact of potential abuse
- Use a WordPress security plugin to add additional input validation and nonce requirements to AJAX endpoints
- Configure your mail server to restrict relay capabilities and implement SPF, DKIM, and DMARC policies
# Apache .htaccess workaround to block vulnerable endpoint
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{QUERY_STRING} action=woolentor_suggest_price_action [NC,OR]
RewriteCond %{REQUEST_BODY} action=woolentor_suggest_price_action [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
