cleantalk
Vulnerabilities and Security Researches

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor), CVE-2026-4059

CVE, Research URL

CVE-2026-4059

Home page URL

Security reports for ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)

Application

ShopLentor – WooCommerce Builder for Elementor & Gutenberg +12 Modules – All in One Solution (formerly WooLentor)

Published on
Apr 14, 2026
Research Description
The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentor_quickview_button shortcode's button_text attribute in all versions up to, and including, 3.3.5. This is due to insufficient input sanitization and missing output escaping on user-supplied shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Affected versions
max 3.3.6.
Status
vulnerable
Previous vulnerability researches
Enable Media Replace (CVE-2026-2732) , Apr 14, 2026
Enable Media Replace (CVE-2023-0255) , Jun 06, 2024
Enable Media Replace (CVE-2023-6737) , Jun 06, 2024
Enable Media Replace (998cd782c633045e5da1cdac6b7b7cd2ce8eb0d2) , Jun 06, 2024
Enable Media Replace (CVE-2022-2554) , Jun 06, 2024
New vulnerability
PixelYourSite – Your smart PIXEL (TAG) Manager (CVE-2026-1841) , Apr 15, 2026
Consensus Embed (CVE-2026-1823) , Apr 15, 2026
Media Library Folders (CVE-2026-2312) , Apr 15, 2026
Nexter Extension (CVE-2026-0726) , Apr 15, 2026
CallbackKiller service widget (CVE-2026-1944) , Apr 15, 2026