CVE-2026-4059

Name of the Vulnerable Software and Affected Versions ShopLentor plugin for WordPress versions up to 3.3.5

Description Stored Cross-Site Scripting occurs due to insufficient input sanitization and missing output escaping on user-supplied shortcode attributes. Authenticated attackers with Contributor-level access and above can inject arbitrary web scripts via the button text attribute of the woolentor quickview button shortcode, which execute when a user accesses the affected page.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.