CVE-2025-12497 Overview
CVE-2025-12497 is a Local File Inclusion (LFI) vulnerability in the Premium Portfolio Features for Phlox theme plugin for WordPress. The flaw exists in all versions up to and including 2.3.10 and is triggered through the args[extra_template_path] parameter. Unauthenticated attackers can include and execute arbitrary .php files on the server, leading to arbitrary PHP code execution. The issue is categorized as PHP Remote File Inclusion / improper control of filename for include/require statement [CWE-98].
Critical Impact
Unauthenticated remote attackers can include arbitrary local PHP files, bypass access controls, exfiltrate sensitive data, and achieve remote code execution where .php files can be uploaded and included.
Affected Products
- Premium Portfolio Features for Phlox theme plugin for WordPress — all versions up to and including 2.3.10
- WordPress sites running the affected plugin alongside the Phlox theme
- Any deployment where unauthenticated visitors can reach the vulnerable endpoint
Discovery Timeline
- 2025-11-05 - CVE-2025-12497 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-12497
Vulnerability Analysis
The vulnerability resides in the plugin's template loading logic, which accepts a caller-controlled path through the args[extra_template_path] parameter. The plugin passes this value into a PHP include or require statement without enforcing an allowlist of permitted templates or constraining the path to a trusted directory. As a result, attackers can direct the include call to any .php file accessible on the server filesystem.
Because the endpoint is reachable without authentication, exploitation does not require a WordPress account, an administrator session, or social engineering. Successful inclusion executes the targeted PHP file in the context of the web server user, granting the attacker the same privileges as WordPress itself. The CWE-98 classification reflects the unsafe handling of an externally influenced filename in an include directive.
Root Cause
The root cause is missing input validation and path sanitization on the extra_template_path argument. The plugin trusts user-supplied input as a filesystem path and concatenates or passes it directly to a PHP file inclusion function. There is no canonicalization check, no restriction to a base template directory, and no enforcement that the included file belongs to the plugin or theme.
Attack Vector
An unauthenticated attacker sends a crafted HTTP request to the vulnerable WordPress endpoint with the args[extra_template_path] parameter pointing to a local .php file. The request can target plugin-bundled files, files written by other plugins, uploaded media, or any user-writable directory containing PHP content. When the server processes the request, the targeted PHP file is executed, yielding code execution, sensitive file disclosure, or access control bypass depending on the included file's contents. Technical details and proof-of-concept context are documented in the Wordfence Vulnerability Report and the upstream fix is visible in the WordPress Plugin Changeset.
Detection Methods for CVE-2025-12497
Indicators of Compromise
- HTTP requests containing the args[extra_template_path] parameter, especially with values referencing .php paths, ../ traversal sequences, or paths under wp-content/uploads.
- Unexpected PHP execution originating from non-standard locations such as upload directories, cache folders, or temporary paths.
- Newly created PHP files in wp-content/uploads or other writable directories shortly before suspicious inclusion requests.
- Web server access logs showing unauthenticated requests to plugin endpoints followed by anomalous outbound network connections.
Detection Strategies
- Inspect WordPress and web server logs for any query string or POST body containing extra_template_path and alert on values outside expected template names.
- Deploy a web application firewall rule that blocks LFI patterns such as path traversal sequences, absolute filesystem paths, and php:// wrappers within plugin parameters.
- Use file integrity monitoring on the wp-content/plugins/auxin-portfolio directory and the WordPress uploads directory to surface unauthorized PHP files.
Monitoring Recommendations
- Continuously monitor PHP-FPM and web server process telemetry for unusual child processes spawned by the WordPress worker.
- Track outbound connections from web servers to identify post-exploitation command-and-control or data staging activity.
- Correlate authentication-free hits on vulnerable plugin routes with subsequent administrative changes or new user creation in WordPress.
How to Mitigate CVE-2025-12497
Immediate Actions Required
- Update the Premium Portfolio Features for Phlox theme plugin to a version newer than 2.3.10 that contains the upstream fix in changeset 3388727.
- Audit the WordPress filesystem for unauthorized .php files in upload, cache, and temporary directories and remove any that are not expected.
- Rotate WordPress secret keys, database credentials, and administrator passwords if exploitation is suspected.
- Review web server access logs for prior requests containing args[extra_template_path] to determine pre-patch exposure.
Patch Information
The vendor addressed the issue in the plugin source tree. Review the fix in the WordPress Plugin Changeset and install the latest available release through the WordPress plugin updater. Site operators who cannot update immediately should disable the plugin until the patched version is deployed.
Workarounds
- Disable or uninstall the Premium Portfolio Features for Phlox theme plugin until the patched version is installed.
- Block requests containing the args[extra_template_path] parameter at the WAF or reverse proxy layer.
- Enforce strict open_basedir and disable_functions settings in PHP to limit which files the WordPress process can include and execute.
- Prevent PHP execution inside wp-content/uploads using web server configuration directives.
# Example nginx configuration to block PHP execution in uploads
# and reject requests containing the vulnerable parameter
location ~* /wp-content/uploads/.*\.php$ {
deny all;
return 403;
}
if ($args ~* "extra_template_path=") {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
