Platform
wordpress
Component
shoplentor
Fixed in
3.2.6
A critical Local File Inclusion (LFI) vulnerability (CVE-2025-12493) has been identified in the ShopLentor WordPress plugin, affecting versions from 0.0.0 through 3.2.5. This vulnerability allows unauthenticated attackers to execute arbitrary PHP code on the server, potentially leading to complete system compromise. The vulnerability resides in the 'load_template' function and has been publicly disclosed on 2025-11-04. Immediate action is required to mitigate this severe risk.
The impact of CVE-2025-12493 is severe due to the unrestricted code execution it enables. An attacker exploiting this vulnerability can upload a malicious PHP file, include it via the 'load_template' function, and execute arbitrary code with the privileges of the web server user. This could lead to the theft of sensitive data, including database credentials, user information, and potentially even the entire WordPress installation. Furthermore, the attacker could establish a persistent backdoor, allowing them to regain access to the system at any time. The ability to execute arbitrary code effectively grants the attacker full control over the affected WordPress site, similar to the impact of remote code execution vulnerabilities.
CVE-2025-12493 is a high-severity vulnerability with a public disclosure date of 2025-11-04. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation makes it likely that one will emerge. The vulnerability is not currently listed on the CISA KEV catalog. Given the critical CVSS score and the potential for widespread exploitation, organizations using the affected plugin should prioritize remediation.
Exploit Status
EPSS
0.37% (58% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-12493 is to immediately upgrade the ShopLentor plugin to a patched version. The vendor has not yet released a fixed version, so temporary workarounds are necessary. Consider restricting file uploads to only explicitly allowed file types and implementing strict input validation on the 'load_template' parameter. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious file paths or patterns. Monitor web server logs for unusual activity, particularly attempts to access or include unexpected PHP files. After upgrading to a patched version, verify the fix by attempting to trigger the LFI vulnerability and confirming that it is no longer exploitable.
Update the ShopLentor plugin to the latest available version to mitigate the Local File Inclusion vulnerability. Check for updates in the WordPress admin panel or on the developer's website. Implement additional security measures, such as limiting file and directory permissions, to reduce the risk of exploitation.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-12493 is a critical Local File Inclusion vulnerability in the ShopLentor WordPress plugin, allowing attackers to execute arbitrary PHP code.
You are affected if you are using ShopLentor versions 0.0.0 through 3.2.5. Upgrade immediately when a patch is available.
Upgrade to a patched version of the ShopLentor plugin. Until a patch is released, implement temporary workarounds like restricting file uploads and using a WAF.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted.
Check the official ShopLentor website and WordPress plugin repository for updates and security advisories related to CVE-2025-12493.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.