CVE-2026-6287
Stored XSS in ShopLentor WooCommerce Builder for Elementor & Gutenberg
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| shoplentor | woocommerce_builder_for_elementor | to 3.3.8 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the ShopLentor - WooCommerce Builder for Elementor & Gutenberg plugin for WordPress, specifically in versions up to and including 3.3.8. It is a Stored Cross-Site Scripting (XSS) issue caused by insufficient input sanitization and output escaping of the 'blockUniqId' block attribute in multiple Product Gride blocks.
This flaw allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages. These scripts will execute whenever any user accesses the injected page.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized script execution in the context of the affected website. An attacker with contributor-level access can inject malicious scripts that execute when other users visit the compromised pages.
- It can result in theft of user credentials or session tokens.
- It may allow attackers to perform actions on behalf of other users.
- It can lead to defacement or manipulation of website content.