CVE-2025-12493 is a critical security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as a path traversal flaw) found in the ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules WordPress plugin, formerly known as WooLentor. This vulnerability exists in all versions up to and including 3.2.5 within the 'load_template' function, which improperly sanitizes user input used to specify file paths. An unauthenticated attacker can exploit this flaw by crafting specially designed requests that manipulate the file path parameter to include arbitrary PHP files from the server's filesystem. This local file inclusion (LFI) leads to the execution of arbitrary PHP code, allowing attackers to bypass access controls, read sensitive files, or execute malicious code on the server. The vulnerability is remotely exploitable over the network without requiring any authentication or user interaction, making it highly dangerous. The CVSS v3.1 base score of 9.8 reflects its critical severity, with attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), and no user interaction (UI:N). Although no known exploits have been reported in the wild yet, the widespread use of the ShopLentor plugin in WooCommerce-based WordPress e-commerce sites makes this a high-risk vulnerability. The flaw can lead to full system compromise, data leakage, and disruption of e-commerce operations if exploited.

For European organizations, especially those operating e-commerce platforms using WordPress with the ShopLentor plugin, this vulnerability poses a severe risk. Exploitation can result in unauthorized access to sensitive customer data, including payment and personal information, leading to privacy violations and regulatory non-compliance under GDPR. The ability to execute arbitrary PHP code can allow attackers to implant backdoors, conduct further lateral movement, or disrupt availability by defacing websites or causing denial of service. This can damage brand reputation, cause financial losses, and trigger legal liabilities. Given the plugin's popularity among WooCommerce users, organizations in sectors like retail, hospitality, and services are particularly vulnerable. The lack of authentication requirement and ease of exploitation increase the likelihood of automated attacks targeting vulnerable sites across Europe. Additionally, compromised e-commerce sites may be used as vectors for supply chain attacks or to distribute malware to customers.

Immediate mitigation steps include monitoring for unusual requests targeting the 'load_template' function and implementing strict input validation and sanitization at the web application firewall (WAF) level to block path traversal attempts. Organizations should apply any available patches from devitemsllc as soon as they are released. Until a patch is available, disabling or removing the ShopLentor plugin from production environments is advisable if feasible. Regularly audit plugin versions and update WordPress and all plugins promptly. Employ least privilege principles on the web server to limit the impact of potential code execution, such as restricting PHP execution permissions in upload directories. Enable logging and alerting for suspicious file inclusion attempts. Conduct penetration testing focused on LFI and path traversal vectors to identify residual risks. Finally, maintain offline backups of website data to enable rapid recovery in case of compromise.