{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4059", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-12T17:15:49.497Z", "datePublished": "2026-04-14T03:37:33.893Z", "dateUpdated": "2026-04-14T14:04:52.486Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-14T03:37:33.893Z"}, "affected": [{"vendor": "devitemsllc", "product": "ShopLentor \u2013 All-in-One WooCommerce Growth & Store Enhancement Plugin", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.3.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentor_quickview_button shortcode's button_text attribute in all versions up to, and including, 3.3.5. This is due to insufficient input sanitization and missing output escaping on user-supplied shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "ShopLentor <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fdf0b13e-154c-4007-bfc2-5346d906f7ca?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.4/includes/modules/quickview/includes/classes/Frontend/Shortcode.php#L61"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/includes/modules/quickview/includes/classes/Frontend/Shortcode.php#L61"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.4/includes/modules/quickview/includes/templates/quickview-button.php#L1"}, {"url": "https://ti.wordfence.io/vendors/patch/1796/download"}, {"url": "https://plugins.trac.wordpress.org/changeset/3493664/woolentor-addons/trunk/includes/modules/quickview/includes/classes/Frontend/Shortcode.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fwoolentor-addons/tags/3.3.5&new_path=%2Fwoolentor-addons/tags/3.3.6"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "timeline": [{"time": "2026-03-12T17:31:14.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-13T14:48:10.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4059", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:02:11.467462Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:04:52.486Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4059", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-14T14:02:11.467462Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-14T14:04:05.738Z"}}], "cna": {"title": "ShopLentor <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute", "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "devitemsllc", "product": "ShopLentor \u2013 All-in-One WooCommerce Growth & Store Enhancement Plugin", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.3.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-12T17:31:14.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-13T14:48:10.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fdf0b13e-154c-4007-bfc2-5346d906f7ca?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.4/includes/modules/quickview/includes/classes/Frontend/Shortcode.php#L61"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/includes/modules/quickview/includes/classes/Frontend/Shortcode.php#L61"}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.4/includes/modules/quickview/includes/templates/quickview-button.php#L1"}, {"url": "https://ti.wordfence.io/vendors/patch/1796/download"}, {"url": "https://plugins.trac.wordpress.org/changeset/3493664/woolentor-addons/trunk/includes/modules/quickview/includes/classes/Frontend/Shortcode.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fwoolentor-addons/tags/3.3.5&new_path=%2Fwoolentor-addons/tags/3.3.6"}], "descriptions": [{"lang": "en", "value": "The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentor_quickview_button shortcode's button_text attribute in all versions up to, and including, 3.3.5. This is due to insufficient input sanitization and missing output escaping on user-supplied shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-14T03:37:33.893Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4059", "state": "PUBLISHED", "dateUpdated": "2026-04-14T14:04:52.486Z", "dateReserved": "2026-03-12T17:15:49.497Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-14T03:37:33.893Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The ShopLentor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the woolentor_quickview_button shortcode's button_text attribute in all versions up to, and including, 3.3.5. This is due to insufficient input sanitization and missing output escaping on user-supplied shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4059", "lastModified": "2026-04-14T04:17:18.137", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-14T04:17:18.137", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.4/includes/modules/quickview/includes/classes/Frontend/Shortcode.php#L61"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/tags/3.3.4/includes/modules/quickview/includes/templates/quickview-button.php#L1"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/includes/modules/quickview/includes/classes/Frontend/Shortcode.php#L61"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3493664/woolentor-addons/trunk/includes/modules/quickview/includes/classes/Frontend/Shortcode.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Fwoolentor-addons/tags/3.3.5&new_path=%2Fwoolentor-addons/tags/3.3.6"}, {"source": "security@wordfence.com", "url": "https://ti.wordfence.io/vendors/patch/1796/download"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fdf0b13e-154c-4007-bfc2-5346d906f7ca?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.3.5]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ShopLentor \u2013 All-in-One WooCommerce Growth & Store Enhancement Plugin", "source": "cna", "vendor": "devitemsllc"}, "product": "shoplentor_\u2013_all-in-one_woocommerce_growth_&_store_enhancement_plugin", "vendor": "devitemsllc"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-14T05:20:40.372563+00:00", "value": {"mitigation_remediation": ["Upgrade the ShopLentor plugin to version 3.3.6 or later, which implements proper input sanitization for the button_text attribute."], "summary": {"action": "Update Plugin", "impact": "Stored Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "All releases of the ShopLentor All\u2011in\u2011One WooCommerce Growth & Store Enhancement Plugin from DevItems LLC up to and including version 3.3.5 are affected. The flaw is fixed in version 3.3.6 and later.", "description_and_impact": "The vulnerability permits an attacker with Contributor or higher privileges to store malicious JavaScript through the button_text attribute of the woolentor_quickview_button shortcode. Because this attribute is neither sanitized nor escaped, the injected script remains in the database and is executed whenever any visitor loads a page containing the shortcode. Attackers can thereby steal cookies, hijack sessions, deface content, or disclose sensitive data to a prompted or background script, representing a classic web scripting weakness.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity, and the lack of an EPSS rating means the exact exploitation probability is unknown; however, the requirement for only Contributor\u2011level authentication makes the attack path reasonable in typical hosting scenarios. The vulnerability is not listed in the CISA KEV catalog, so no large\u2011scale active exploitation has been documented, but stored XSS is a well\u2011known vector for widespread damage once deployed."}}}}, "created": "2026-04-14T16:15:53.748713+00:00", "updated": "2026-04-14T16:30:50.225673+00:00", "vendors": ["devitemsllc", "devitemsllc$PRODUCT$shoplentor_\u2013_all-in-one_woocommerce_growth_&_store_enhancement_plugin", "wordpress", "wordpress$PRODUCT$wordpress"]}