Stored Cross-Site Scripting in ShopLentor – WooCommerce Builder for Elementor & Gutenberg Plugin
CVE-2026-6287

5.4MEDIUM

Key Information:

Vendor: WordPress
Status: Shoplentor – All-in-one WooCommerce Growth & Store Enhancement Plugin
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-6287?

The ShopLentor - WooCommerce Builder for Elementor & Gutenberg plugin for WordPress contains a vulnerability that allows for stored cross-site scripting. This occurs through the 'blockUniqId' attribute in various Product Grid blocks. Due to inadequate input sanitization and output escaping, authenticated users with contributor-level permissions or higher can inject arbitrary scripts. These scripts become active whenever affected users access the compromised pages, thereby potentially leading to harmful user data exposure or site manipulation.

Affected Version(s)

ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin 0 <= 3.3.8

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3521229/wool...

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

Ravindu De Silva

CVE-2026-6287 Data

JSON