CVE-2026-1714
Published: 18 February 2026
Summary
CVE-2026-1714 is a high-severity CRLF Injection (CWE-93) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 17.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the lack of validation on 'send_to', 'product_title', 'wlmessage', and 'wlemail' parameters, preventing CRLF injection (CWE-93) and arbitrary email relay abuse via the AJAX endpoint.
Enforces logical access controls requiring authentication for the unauthenticated 'woolentor_suggest_price_action' AJAX endpoint, blocking remote exploitation by attackers with no privileges.
Filters malicious content and CRLF sequences in email outputs generated from unvalidated AJAX parameters prior to transmission, reducing the impact of relay abuse.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct remote exploitation of public-facing WordPress plugin (T1190); abuse enables arbitrary email relay for phishing/spam campaigns (T1566).
NVD Description
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin for WordPress is vulnerable to Email Relay Abuse in all versions up to, and including, 3.3.2. This is due to the lack of…
more
validation on the 'send_to', 'product_title', 'wlmessage', and 'wlemail' parameters in the 'woolentor_suggest_price_action' AJAX endpoint. This makes it possible for unauthenticated attackers to send arbitrary emails to any recipient with full control over the subject line, message content, and sender address (via CRLF injection in the 'wlemail' parameter), effectively turning the website into a full email relay for spam or phishing campaigns.
Deeper analysisAI
CVE-2026-1714 affects the ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin for WordPress, in all versions up to and including 3.3.2. The vulnerability enables Email Relay Abuse due to insufficient validation of the 'send_to', 'product_title', 'wlmessage', and 'wlemail' parameters in the 'woolentor_suggest_price_action' AJAX endpoint. This issue, classified under CWE-93 (Improper Neutralization of CRLF Sequences), has a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:H/A:N), indicating high severity with network accessibility, low complexity, no privileges required, no user interaction, changed scope, high integrity impact, and no confidentiality or availability impact.
Unauthenticated attackers can exploit this vulnerability remotely by sending crafted requests to the AJAX endpoint. They gain full control over email recipients via 'send_to', subject lines via 'product_title', message content via 'wlmessage', and sender addresses via CRLF injection in the 'wlemail' parameter. This effectively transforms the affected WordPress site into an open email relay, allowing attackers to conduct spam or phishing campaigns by relaying arbitrary emails to any target.
The provided references point to specific lines in the plugin's source code, including lines 170, 189, and 192 of classes/class.ajax_actions.php in tags/3.3.1 and the trunk branch, highlighting the locations where the unvalidated parameters are processed. No explicit patch or mitigation details are detailed in the available information.
Details
- CWE(s)