The ShopLentor – All-in-One WooCommerce Growth & Store Enhancement Plugin for WordPress suffers from a CRLF injection vulnerability (CWE-93) in the 'woolentor_suggest_price_action' AJAX endpoint. The plugin fails to validate the 'send_to', 'product_title', 'wlmessage', and 'wlemail' parameters, allowing unauthenticated attackers to inject carriage return and line feed characters into the 'wlemail' parameter. This enables attackers to manipulate email headers and send arbitrary emails through the website, effectively turning it into an open email relay. The vulnerability affects all versions up to and including 3.3.2. The CVSS v3.1 base score is 8.6, indicating high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change. The impact is high on integrity but does not affect confidentiality or availability.

An attacker can exploit this vulnerability to send arbitrary emails from the affected website, controlling the recipient, subject, message content, and sender address. This can be leveraged to conduct spam or phishing campaigns using the compromised site as an email relay. The integrity of email communications is compromised, but there is no direct impact on confidentiality or availability of the system. No known exploits are currently reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official patch or fix is referenced, users should monitor the vendor's communications for updates. Until a fix is available, consider disabling or restricting access to the vulnerable AJAX endpoint if possible, or applying web application firewall (WAF) rules to detect and block CRLF injection attempts targeting the affected parameters.