CVE-2026-6287 devitemsllc CVE debrief

Who should care

WordPress site administrators using ShopLentor plugin versions 3.3.8 or earlier; security teams monitoring for authenticated XSS vectors in content management systems; developers maintaining WooCommerce/Elementor integrations

Technical summary

The ShopLentor plugin's Product Grid blocks fail to properly sanitize and escape the 'blockUniqId' block attribute before rendering it in page output. This allows authenticated users with contributor privileges or higher to supply malicious JavaScript payloads that persist in post content and execute when any user views the affected page. The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation).

Defensive priority

medium

Recommended defensive actions

• Update ShopLentor - WooCommerce Builder for Elementor & Gutenberg plugin to version 3.3.9 or later
• Review existing posts and pages for suspicious content in Product Grid blocks, particularly examining the blockUniqId attribute
• Implement Content Security Policy (CSP) headers to mitigate impact of XSS vulnerabilities
• Consider restricting contributor-level access pending verification of remediation
• Monitor web application logs for unusual script injection patterns or unexpected external resource loading

Evidence notes

The vulnerability affects the 'blockUniqId' block attribute in multiple Product Grid blocks. The CVSS 3.1 vector is AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N, indicating network attack vector, low attack complexity, low privileges required, user interaction required, changed scope, and low impacts to confidentiality and integrity.

Official resources