Critical WooCommerce Plugin Flaw (CVE-2025-12493, CVSS 9.8) Allows Unauthenticated RCE, 100,000+ Sites Affect

A critical-severity Local File Inclusion (LFI) flaw in the popular WordPress plugin ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) allows unauthenticated attackers to include and run arbitrary .php files on affected sites. The vulnerability (CVE-2025-12493, CVSS 9.8) affects all plugin versions ≤ 3.2.5 and was fixed in 3.2.6. The plugin has 100,000+ active installations, putting a large number of e-commerce sites at risk.

An LFI in the plugin’s load_template logic permits an unauthenticated request to force the WordPress/PHP runtime to include attacker-supplied .php files. If an attacker can upload or otherwise place a .php file on the server (for example, via misconfigured uploads, another plugin, or a writable directory), the vulnerable include will execute that file — yielding remote code execution and full site compromise.

If you operate WordPress sites using ShopLentor, treat this as urgent.

Update NOW — Upgrade the ShopLentor plugin to version 3.2.6 immediately on every affected site (test first on staging if you must, but prioritize live e-commerce sites).
If you cannot update immediately:
- Deactivate the plugin until you can apply 3.2.6.
- Or restrict access via a WAF / server rule to block requests that exploit load_template parameters.
Check logs for suspicious requests and indicators of exploitation (see detection section). Look for requests containing unusual template or load_template parameters or attempts to include ../../ paths or paths under wp-content/uploads.

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply