プラットフォーム
wordpress
コンポーネント
shoplentor
修正版
3.2.6
A critical Local File Inclusion (LFI) vulnerability (CVE-2025-12493) has been identified in the ShopLentor WordPress plugin, affecting versions from 0.0.0 through 3.2.5. This vulnerability allows unauthenticated attackers to execute arbitrary PHP code on the server, potentially leading to complete system compromise. The vulnerability resides in the 'load_template' function and has been publicly disclosed on 2025-11-04. Immediate action is required to mitigate this severe risk.
The impact of CVE-2025-12493 is severe due to the unrestricted code execution it enables. An attacker exploiting this vulnerability can upload a malicious PHP file, include it via the 'load_template' function, and execute arbitrary code with the privileges of the web server user. This could lead to the theft of sensitive data, including database credentials, user information, and potentially even the entire WordPress installation. Furthermore, the attacker could establish a persistent backdoor, allowing them to regain access to the system at any time. The ability to execute arbitrary code effectively grants the attacker full control over the affected WordPress site, similar to the impact of remote code execution vulnerabilities.
CVE-2025-12493 is a high-severity vulnerability with a public disclosure date of 2025-11-04. No public proof-of-concept (PoC) code has been released at the time of writing, but the ease of exploitation makes it likely that one will emerge. The vulnerability is not currently listed on the CISA KEV catalog. Given the critical CVSS score and the potential for widespread exploitation, organizations using the affected plugin should prioritize remediation.
WordPress websites utilizing the ShopLentor plugin, particularly those with limited security configurations or shared hosting environments, are at significant risk. Sites with older, unpatched WordPress installations or those lacking robust input validation practices are especially vulnerable. Administrators who have not recently reviewed plugin security are also at increased risk.
• wordpress / composer / npm:
grep -r 'load_template' /var/www/html/wp-content/plugins/shop-lentor/• generic web:
curl -I http://your-wordpress-site.com/wp-content/plugins/shop-lentor/load_template?file=../../../../etc/passwd | grep 'Content-Type:'• wordpress / composer / npm:
wp plugin list | grep shop-lentordisclosure
エクスプロイト状況
EPSS
0.37% (58% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2025-12493 is to immediately upgrade the ShopLentor plugin to a patched version. The vendor has not yet released a fixed version, so temporary workarounds are necessary. Consider restricting file uploads to only explicitly allowed file types and implementing strict input validation on the 'load_template' parameter. Web Application Firewalls (WAFs) can be configured to block requests containing suspicious file paths or patterns. Monitor web server logs for unusual activity, particularly attempts to access or include unexpected PHP files. After upgrading to a patched version, verify the fix by attempting to trigger the LFI vulnerability and confirming that it is no longer exploitable.
Actualice el plugin ShopLentor a la última versión disponible para mitigar la vulnerabilidad de inclusión de archivos locales. Verifique las actualizaciones disponibles en el panel de administración de WordPress o en el sitio web del desarrollador. Implemente medidas de seguridad adicionales, como limitar los permisos de los archivos y directorios, para reducir el riesgo de explotación.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2025-12493 is a critical Local File Inclusion vulnerability in the ShopLentor WordPress plugin, allowing attackers to execute arbitrary PHP code.
You are affected if you are using ShopLentor versions 0.0.0 through 3.2.5. Upgrade immediately when a patch is available.
Upgrade to a patched version of the ShopLentor plugin. Until a patch is released, implement temporary workarounds like restricting file uploads and using a WAF.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest it is likely to be targeted.
Check the official ShopLentor website and WordPress plugin repository for updates and security advisories related to CVE-2025-12493.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。