ShopLento WooCommerce Builder <=3.3.8 Authenticated Stored XSS via blockUniqId (CVE-2026-6287)

Vulnerability Overview Vulnerability Name: ShopLento - WooCommerce Builder for Elementor & Gutenberg <= 3.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Product Grid 'blockUniqId' Block Attribute CVE ID: CVE-2026-6287 CVSS Score: 5.4 (Medium) Publication Date: May 26, 2026 Last Update Date: May 27, 2026 Researcher: ammonia - UC SANTA BARBARA Impact Scope Software Type: Plugin Software Name: wooqlentor-addons (view on wordpress.org) Affected Versions: <= 3.3.8 Fixed Version: 3.9 Remediation Recommendation: Upgrade to version 3.9 or later patched versions. Additional Information Vulnerability Description: The ShopLento - WooCommerce Builder for Elementor & Gutenberg plugin contains a stored cross-site scripting (XSS) vulnerability in multiple product grid blocks via the 'blockUniqId' block attribute in WordPress. Due to insufficient input sanitization and output escaping, attackers can inject arbitrary scripts that are executed when users visit the affected page. Reference Link: plugins.trac.wordpress.org Related Recent Vulnerabilities ShopLento - WooCommerce Builder for Elementor & Gutenberg <= 3.3.5 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'button_text' Shortcode Attribute - CVE ID: CVE-2026-4059 - CVSS Score: 6.4 - Researcher: zalm - Date: April 13, 2026 ShopLento <= 3.3.2 - Unauthenticated Email Relay Abuse via wooqlentor_suggest_price_action AJAX Action - CVE ID: CVE-2026-7174 - CVSS Score: 8.6 - Researcher: Teerachai Somprasong - Date: February 17, 2026 ShopLento <= 3.2.5 - Unauthenticated Local PHP File Inclusion via 'load_template' - CVE ID: CVE-2025-12493 - CVSS Score: 9.8 - Researcher: mikemyers - Date: November 3, 2025 ShopLento - WooCommerce Builder for Elementor & Gutenberg <= 3.2.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode - CVE ID: CVE-2025-11823 - CVSS Score: 6.4 - Researcher: theviper17y - Date: October 24, 2025 ShopLento <= 3.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting - CVE ID: CVE-2025-58990 - CVSS Score: 6.4 - Researcher: Denver Jackson - Date: September 9, 2025 ShopLento - WooCommerce Builder for Elementor & Gutenberg <= 3.1.2 - Unauthenticated Server-Side Request Forgery via URL Parameter - CVE ID: CVE-2025-3775 - CVSS Score: 6.5 - Researcher: mikemyers - Date: April 24, 2025 ShopLento - WooCommerce Builder for Elementor & Gutenberg <= 3.1.0 - Authenticated (Contributor+) Stored DOM-Based Cross-Site Scripting via Flash Sale Countdown Module - CVE ID: CVE-2025-1527 - CVSS Score: 6.4 - Researcher: Webbenaut - Date: March 11, 2025 ShopLento <= 2.9.8 - Authenticated (Contributor+) Sensitive Information Exposure via WL FAQ Widget Elementor Template - CVE ID: CVE-2024-9538 - CVSS Score: 4.3 - Researcher: Ankit Patel - Date: October 10, 2024 ShopLento - WooCommerce Builder for Elementor & Gutenberg <= 3.12 Modules - All in One Solution (formerly WooLentor) <= 2.9.7 - Authenticated (Contributor+) DOM-Based Stored Cross-Site Scripting - CVE ID: CVE-2024-8668 - CVSS Score: 6.4 - Researcher: Webbenaut - Date: September 24, 2024 ShopLento - WooCommerce Builder for Elementor & Gutenberg <= 3.12 Modules - All in One Solution (formerly WooLentor) <= 2.9.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via WL Product Horizontal Filter Widget - CVE ID: CVE-2024-5530 - CVSS Score: 6.4 - Researcher: wesley (wcraft) - Date: June 10, 2024 Summary This page lists multiple security vulnerabilities in the ShopLento plugin, including stored cross-site scripting, local file inclusion, and server-side request forgery. Users are advised to upgrade to the latest version as soon as possible to mitigate these vulnerabilities.

Goal Reached Thanks to every supporter — we hit 100%!

ShopLento WooCommerce Builder <=3.3.8 Authenticated Stored XSS via blockUniqId (CVE-2026-6287)