CVE-2025-12493 Overview
CVE-2025-12493 is a critical Local File Inclusion (LFI) vulnerability affecting the ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) plugin for WordPress. The vulnerability exists in all versions up to and including 3.2.5 and allows unauthenticated attackers to include and execute arbitrary .php files on the server through the load_template function. This can be exploited to bypass access controls, obtain sensitive data, or achieve remote code execution in cases where PHP files can be uploaded and included.
Critical Impact
Unauthenticated attackers can achieve arbitrary PHP code execution on affected WordPress sites, potentially leading to full server compromise, data theft, and website defacement without requiring any authentication.
Affected Products
- Hasthemes ShopLentor versions up to and including 3.2.5
- WordPress installations with ShopLentor/WooLentor addon enabled
- WooCommerce sites using ShopLentor for Elementor or Gutenberg integration
Discovery Timeline
- 2025-11-04 - CVE-2025-12493 published to NVD
- 2025-11-26 - Last updated in NVD database
Technical Details for CVE-2025-12493
Vulnerability Analysis
This Local File Inclusion vulnerability stems from insufficient input validation in the load_template function within the ShopLentor plugin. The vulnerable code paths exist in multiple locations within the plugin's codebase, including the AJAX actions handler (class.ajax_actions.php) and the product grid base class (class.product-grid-base.php).
The vulnerability allows remote attackers to manipulate file path parameters to include arbitrary PHP files from the server's filesystem. Since no authentication is required to exploit this vulnerability, any external attacker can target affected WordPress installations. The attack can be executed remotely over the network with low complexity, requiring no user interaction.
Successful exploitation allows attackers to execute arbitrary PHP code within the context of the web server, potentially leading to complete compromise of the WordPress installation and underlying server.
Root Cause
The root cause of this vulnerability is improper input validation in the load_template function. The plugin fails to adequately sanitize or validate user-supplied input before using it to construct file paths for PHP file inclusion. This lack of path traversal prevention allows attackers to escape the intended directory structure and include arbitrary PHP files from anywhere on the filesystem that the web server process has permission to read.
The vulnerability is classified under CWE-22 (Path Traversal), indicating improper limitation of a pathname to a restricted directory. The affected code does not properly validate that the requested template file exists within the expected plugin directory, enabling directory traversal attacks using sequences like ../ to navigate outside the intended scope.
Attack Vector
The attack is network-based and can be executed by unauthenticated users. Attackers can craft malicious HTTP requests to the WordPress AJAX handler, manipulating template path parameters to include arbitrary PHP files. The attack requires no special privileges or user interaction, making it highly exploitable.
The exploitation flow typically involves:
- Identifying a WordPress site running a vulnerable version of ShopLentor
- Crafting a malicious request to the vulnerable AJAX endpoint
- Manipulating the template path parameter to include a malicious or sensitive PHP file
- The server includes and executes the specified PHP file
If attackers can upload a PHP file to the server through another means (such as a media upload vulnerability or a file with a .php extension disguised as another format), they can chain this LFI vulnerability to achieve full remote code execution.
Technical details of the vulnerable code paths can be found in the WordPress Plugin Code Reference and Wordfence Vulnerability Analysis.
Detection Methods for CVE-2025-12493
Indicators of Compromise
- Unusual AJAX requests to WordPress admin-ajax.php containing path traversal sequences (../, ..%2f, etc.)
- Web server logs showing requests with load_template actions and suspicious file paths
- Unexpected PHP file access or inclusion errors in WordPress error logs
- New or modified PHP files appearing in unexpected directories
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block path traversal patterns in request parameters
- Monitor WordPress AJAX endpoints for suspicious load_template or related action requests
- Implement file integrity monitoring on WordPress installations to detect unauthorized PHP file modifications
- Review web server access logs for patterns consistent with LFI exploitation attempts
Monitoring Recommendations
- Enable verbose logging for WordPress AJAX handlers and review logs regularly
- Set up alerts for HTTP requests containing path traversal indicators targeting ShopLentor endpoints
- Monitor for unusual file access patterns in PHP error logs and web server logs
- Implement real-time file integrity monitoring on critical WordPress directories
How to Mitigate CVE-2025-12493
Immediate Actions Required
- Update ShopLentor plugin to version 3.2.6 or later immediately
- Audit WordPress installations for any signs of compromise or unauthorized file modifications
- Review web server access logs for evidence of exploitation attempts
- Consider temporarily disabling the ShopLentor plugin if immediate patching is not possible
Patch Information
The ShopLentor development team has released a security patch addressing this vulnerability. The fix is included in WordPress Changeset 3388234. Users should update to the latest version of the plugin through the WordPress admin dashboard or by manually downloading and installing the updated plugin from the WordPress plugin repository.
To update via WordPress admin:
- Navigate to Plugins → Installed Plugins
- Locate ShopLentor (WooLentor)
- Click "Update Now" if an update is available
- Verify the plugin version is 3.2.6 or higher after updating
Workarounds
- Temporarily deactivate the ShopLentor plugin until the patch can be applied
- Implement WAF rules to block requests containing path traversal patterns targeting ShopLentor endpoints
- Restrict access to admin-ajax.php from untrusted networks if feasible for your deployment
- Apply server-level PHP configuration to limit include and require to specific directories using open_basedir
# Example Apache .htaccess rule to block path traversal attempts
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} \.\.%2[fF] [NC]
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
