CVE-2025-12493 is a critical security vulnerability classified under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory, i.e., Path Traversal) found in the ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution WordPress plugin, formerly known as WooLentor. This vulnerability exists in all versions up to and including 3.2.5 and is exploitable via the 'load_template' function. The flaw allows unauthenticated attackers to perform Local File Inclusion (LFI) by manipulating the file path input to include arbitrary files on the server. Since the plugin loads PHP templates dynamically, an attacker can include and execute arbitrary PHP files if they can upload or otherwise place malicious PHP files on the server. This leads to remote code execution (RCE), enabling attackers to bypass access controls, steal sensitive data, modify site content, or disrupt service availability. The vulnerability requires no authentication or user interaction, making it highly exploitable remotely over the network. The CVSS v3.1 base score is 9.8, reflecting the critical nature of this vulnerability with network attack vector, low attack complexity, no privileges required, and no user interaction needed. Although no public exploits have been reported yet, the severity and ease of exploitation make this a high-priority threat. The vulnerability impacts WordPress sites using the affected plugin, which is popular among WooCommerce users for building e-commerce storefronts with Elementor and Gutenberg editors. Given the widespread use of WordPress and WooCommerce in Europe, this vulnerability poses a significant risk to online retailers and businesses relying on this plugin for their web presence.

The impact of CVE-2025-12493 on European organizations can be severe. Exploitation can lead to full server compromise, allowing attackers to execute arbitrary PHP code, which can result in data breaches, theft of customer information, financial fraud, defacement of websites, and disruption of e-commerce operations. For businesses relying on WooCommerce and ShopLentor for their online storefronts, this can mean loss of revenue, damage to brand reputation, and potential regulatory penalties under GDPR due to exposure of personal data. The vulnerability's unauthenticated nature increases the risk of widespread exploitation, especially targeting small and medium-sized enterprises that may lack robust security monitoring. Additionally, attackers could leverage compromised servers as pivot points for further attacks within corporate networks. The availability of the affected plugin across many European WordPress sites amplifies the potential attack surface. The critical severity and ease of exploitation necessitate urgent remediation to prevent significant operational and financial impacts.

To mitigate CVE-2025-12493, organizations should immediately update the ShopLentor plugin to a patched version once released by the vendor. Until a patch is available, administrators should consider disabling or uninstalling the plugin to eliminate exposure. Implement strict input validation and sanitization on any user-supplied file path parameters to prevent path traversal attempts. Restrict file upload functionality to disallow PHP or executable files, and enforce strong file type and content validation. Employ Web Application Firewalls (WAFs) with rules to detect and block path traversal and LFI attack patterns targeting the 'load_template' function. Regularly audit and monitor web server logs for suspicious file inclusion attempts or unexpected PHP file executions. Limit file system permissions for the web server user to prevent unauthorized file access or execution. Conduct thorough security assessments of WordPress environments, focusing on plugins and themes. Educate development and operations teams about secure coding practices related to file handling. Finally, maintain regular backups and incident response plans to quickly recover from potential compromises.