Introduction
Attackers can execute arbitrary PHP code and access sensitive files on over 100,000 WordPress sites using ShopLentor due to a critical Local File Inclusion flaw. This vulnerability allows unauthenticated users to compromise e-commerce stores, potentially leading to data theft or full site takeover.
ShopLentor (formerly WooLentor) is a major WordPress plugin that integrates WooCommerce with Elementor and Gutenberg page builders. With millions of downloads and a large active user base, it is a key component in the WordPress e-commerce ecosystem.
Technical Information
CVE-2025-12493 is a Local File Inclusion (LFI) vulnerability in ShopLentor for WordPress, affecting all versions up to and including 3.2.5. The flaw resides in the load_template function, which does not properly sanitize user-supplied input for file paths. This allows attackers to use directory traversal sequences (such as ../) to include arbitrary files from the server's filesystem.
The vulnerability is classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory). Attackers can exploit this by sending crafted requests to endpoints that invoke the vulnerable function, referencing files like wp-config.php or any PHP file they can upload or access. If successful, this can result in disclosure of sensitive information or remote code execution if a malicious PHP file is included.
No public code snippets or proof of concept have been released for this vulnerability. The root cause is improper input validation in the file path parameter handled by the load_template function. The attack does not require authentication, increasing the risk and potential impact.
Affected Systems and Versions
- Product: ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules (formerly WooLentor)
- Affected Versions: All versions up to and including 3.2.5
- Vulnerable Configuration: Any WordPress installation with a vulnerable version of ShopLentor active
Vendor Security History
ShopLentor has a history of security issues, primarily Cross-Site Scripting (XSS) vulnerabilities, documented by WPScan and Wordfence. The vendor has released patches for many previous issues, but the recurrence of input validation flaws suggests ongoing challenges in secure development practices. The transition from XSS to an unauthenticated LFI vulnerability in CVE-2025-12493 marks a significant escalation in risk.
