Introduction
Attackers can execute arbitrary PHP code on thousands of WordPress sites running the Premium Portfolio Features for Phlox theme plugin. This vulnerability, tracked as CVE-2025-12497, enables unauthenticated local file inclusion through a specific request parameter, putting site integrity and sensitive data at risk.
The Premium Portfolio Features for Phlox theme (also known as auxin-portfolio) is a widely used WordPress plugin with over 50000 active installations. It is designed to provide advanced portfolio management and display capabilities, especially for creative professionals using the Phlox theme. Its broad adoption means that vulnerabilities in this plugin can have a significant impact across the WordPress ecosystem.
Technical Information
CVE-2025-12497 is a local file inclusion (LFI) vulnerability in the Premium Portfolio Features for Phlox theme plugin for WordPress. The flaw exists in all versions up to and including 2.3.10. The vulnerability arises from improper validation and sanitization of the args[extra_template_path] parameter. When this parameter is supplied in a request, the plugin uses its value to construct a file path for inclusion via PHP's include or require functions without sufficient restriction or sanitization.
As a result, an unauthenticated attacker can craft a request that sets args[extra_template_path] to a path of their choosing. This can include directory traversal sequences or absolute paths to files already present on the server. If the attacker can upload a PHP file to a writable directory (such as via a separate upload vulnerability or misconfiguration), they can then include and execute arbitrary PHP code. Even without file upload, the attacker may be able to include sensitive files like wp-config.php, exposing database credentials and other secrets.
This vulnerability is classified as CWE-98 (Improper Control of Filename for Include/Require Statement in PHP Program). The root cause is the lack of proper input validation for file paths before including them in PHP, a common and dangerous pattern in plugin development.
Affected Systems and Versions
- Product: Premium Portfolio Features for Phlox theme plugin (auxin-portfolio) for WordPress
- Affected versions: All versions up to and including 2.3.10
- Any WordPress site with this plugin at or below version 2.3.10 is vulnerable
Vendor Security History
The Premium Portfolio Features for Phlox theme plugin has a history of similar vulnerabilities:
- Previous unauthenticated local file inclusion vulnerabilities were reported in versions up to 2.3.1 (CVE-2023-XXXXX, CVSS 9.8) and up to 2.3.10 (CVSS 8.6).
- The plugin has also been affected by stored cross-site scripting (XSS) vulnerabilities, such as CVE-2024-1384 (affecting versions up to 2.3.3).
- The recurrence of LFI and XSS vulnerabilities indicates ongoing challenges with input validation and secure coding practices in this plugin's development.
