CVE-2025-12493
Published: 04 November 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-12493 is a Local File Inclusion (LFI) vulnerability, classified under CWE-22, affecting the ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin (formerly WooLentor) for WordPress. The issue resides in the 'load_template' function and impacts all versions up to and including 3.2.5. It enables the inclusion and execution of arbitrary .php files on the server, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.
Unauthenticated attackers can exploit this vulnerability remotely without privileges or user interaction. By leveraging the flawed 'load_template' function, they can include arbitrary .php files, execute PHP code within those files, bypass access controls, and obtain sensitive data. If the environment allows .php file uploads, this escalates to full remote code execution on the server.
References to the WordPress plugin trac repository highlight the vulnerable code locations, including lines in class.ajax_actions.php (L42, L213, L241) and class.product-grid-base.php (L378). Changeset 3388234 documents the patch, which security practitioners should apply by updating to a fixed version beyond 3.2.5.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
This LFI vulnerability in a public-facing WordPress plugin allows unauthenticated remote code execution by including and executing arbitrary PHP files, directly enabling T1190: Exploit Public-Facing Application.