CVE-2025-12493
Published: 04 November 2025
Summary
CVE-2025-12493 is a critical-severity Path Traversal (CWE-22) vulnerability in Hasthemes Shoplentor. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 40.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the LFI vulnerability by requiring timely patching of the flawed load_template function in the ShopLentor WordPress plugin.
Prevents exploitation of the LFI by validating user-supplied inputs to the load_template function, blocking arbitrary PHP file inclusion.
Identifies the CVE-2025-12493 vulnerability through scanning of WordPress plugins and hosted applications, enabling prompt remediation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
This LFI vulnerability in a public-facing WordPress plugin allows unauthenticated remote code execution by including and executing arbitrary PHP files, directly enabling T1190: Exploit Public-Facing Application.
NVD Description
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.2.5 via the 'load_template' function. This…
more
makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Deeper analysisAI
CVE-2025-12493 is a Local File Inclusion (LFI) vulnerability, classified under CWE-22, affecting the ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution plugin (formerly WooLentor) for WordPress. The issue resides in the 'load_template' function and impacts all versions up to and including 3.2.5. It enables the inclusion and execution of arbitrary .php files on the server, with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of prerequisites.
Unauthenticated attackers can exploit this vulnerability remotely without privileges or user interaction. By leveraging the flawed 'load_template' function, they can include arbitrary .php files, execute PHP code within those files, bypass access controls, and obtain sensitive data. If the environment allows .php file uploads, this escalates to full remote code execution on the server.
References to the WordPress plugin trac repository highlight the vulnerable code locations, including lines in class.ajax_actions.php (L42, L213, L241) and class.product-grid-base.php (L378). Changeset 3388234 documents the patch, which security practitioners should apply by updating to a fixed version beyond 3.2.5.
Details
- CWE(s)