CVE-2025-12497

CVE-2025-12497 is a Local File Inclusion (LFI) vulnerability affecting the Premium Portfolio Features for Phlox theme plugin for WordPress, in all versions up to and including 2.3.10. The flaw exists via the 'args[extra_template_path]' parameter, which allows unauthenticated attackers to include and execute arbitrary .php files on the server. This enables the execution of PHP code within those files. The vulnerability is rated with a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H) and is associated with CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program).

Unauthenticated attackers can exploit this vulnerability remotely over the network, though it requires high attack complexity. Successful exploitation allows attackers to execute arbitrary PHP code by including malicious or existing .php files, potentially bypassing access controls, obtaining sensitive data, or achieving remote code execution, particularly in scenarios where .php file uploads are possible on the server.

Mitigation details are available in the referenced advisories: a patch has been committed in the WordPress plugin trac changeset at https://plugins.trac.wordpress.org/changeset/3388727/auxin-portfolio, and further threat intelligence is provided by Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/518abad2-d3cc-4d15-83d2-8fd99d30500c?source=cve. Security practitioners should update to a patched version of the plugin beyond 2.3.10.