CVE-2025-12493 is a critical security vulnerability classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, commonly known as path traversal) found in the ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution WordPress plugin, formerly known as WooLentor. This vulnerability exists in all versions up to and including 3.2.5 within the 'load_template' function. The flaw allows unauthenticated attackers to perform local file inclusion (LFI) by manipulating the file path input, enabling them to include arbitrary PHP files from the server. When attackers can upload or otherwise place malicious PHP files on the server, they can execute arbitrary code remotely, leading to full system compromise. The vulnerability does not require any authentication or user interaction, making it highly exploitable over the network. The CVSS v3.1 score of 9.8 reflects its critical nature, with high impact on confidentiality, integrity, and availability. The vulnerability can be leveraged to bypass access controls, steal sensitive information, or execute malicious payloads, severely impacting the affected WordPress installations. No official patches or updates are currently linked, so mitigation relies on immediate protective measures and monitoring. Given the widespread use of WooCommerce and Elementor in e-commerce, this vulnerability poses a significant risk to online stores and their customers.

The impact of CVE-2025-12493 is severe for organizations worldwide using the ShopLentor plugin in their WordPress environments. Exploitation can lead to remote code execution, allowing attackers to fully compromise web servers hosting e-commerce sites. This can result in unauthorized access to sensitive customer data, including payment information, personally identifiable information (PII), and business-critical data. Attackers may also deface websites, deploy malware, or use compromised servers as a foothold for further network intrusion. The availability of the affected e-commerce platform can be disrupted, causing financial losses and reputational damage. Since the vulnerability requires no authentication or user interaction, automated mass scanning and exploitation campaigns could emerge rapidly once public exploit code becomes available. This threat is particularly critical for online retailers, service providers, and any organization relying on WordPress with ShopLentor for their digital storefronts. The potential for widespread damage and data breaches makes this vulnerability a top priority for remediation.

To mitigate CVE-2025-12493, organizations should immediately upgrade the ShopLentor plugin to a patched version once released by the vendor. Until an official patch is available, implement the following specific measures: 1) Restrict file upload capabilities to prevent uploading of executable PHP files by enforcing strict file type validation and sanitization. 2) Employ web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting the 'load_template' function or suspicious URL patterns. 3) Harden server configurations by disabling PHP execution in directories used for file uploads or temporary storage. 4) Monitor web server logs for unusual file inclusion requests or errors indicative of exploitation attempts. 5) Isolate WordPress instances and limit permissions to minimize the impact of potential compromise. 6) Conduct regular security audits and vulnerability scans focusing on plugin vulnerabilities. 7) Educate development and operations teams about secure coding practices to prevent similar path traversal flaws. These targeted actions, combined with timely patching, will significantly reduce the risk posed by this vulnerability.