CVE-2025-12493
📋 TL;DR
This vulnerability allows unauthenticated attackers to include and execute arbitrary PHP files on WordPress servers running the ShopLentor plugin. Attackers can achieve remote code execution, bypass access controls, or access sensitive data. All WordPress sites using ShopLentor (formerly WooLentor) version 3.2.5 or earlier are affected.
💻 Affected Systems
- ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules (formerly WooLentor)
📦 What is this software?
Shoplentor by Hasthemes
⚠️ Risk & Real-World Impact
Worst Case
Complete server compromise via remote code execution, leading to data theft, website defacement, malware distribution, or ransomware deployment.
Likely Case
Unauthenticated attackers execute arbitrary PHP code to create backdoors, steal sensitive data, or pivot to other systems.
If Mitigated
Limited impact if file uploads are restricted and server permissions prevent PHP execution in upload directories.
🎯 Exploit Status
The vulnerability is in publicly accessible AJAX endpoints. Exploitation requires finding or uploading PHP files to include.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.2.6 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3388234/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Go to Plugins → Installed Plugins. 3. Find ShopLentor/WooLentor. 4. Click 'Update Now' if available. 5. If not, download version 3.2.6+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily deactivate the ShopLentor plugin until patched.
wp plugin deactivate woolentor-addons
Restrict file uploads
linuxBlock PHP file uploads via web server configuration.
# In Apache .htaccess: <FilesMatch ".*\.php$"> Deny from all </FilesMatch>
# In Nginx: location ~ \.php$ { deny all; }
🧯 If You Can't Patch
- Disable the ShopLentor plugin immediately.
- Implement web application firewall (WAF) rules to block requests to vulnerable AJAX endpoints.
🔍 How to Verify
Check if Vulnerable:
Check plugin version in WordPress admin under Plugins → Installed Plugins. If version is 3.2.5 or lower, you are vulnerable.Check Version:
wp plugin get woolentor-addons --field=versionVerify Fix Applied:
Confirm plugin version is 3.2.6 or higher after update.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /wp-admin/admin-ajax.php with 'action' parameter containing 'woolentor' or 'shoplentor'
- File inclusion attempts in access logs with paths like '../../' or absolute paths
Network Indicators:
- HTTP requests to admin-ajax.php with unusual file paths in parameters
- Unexpected outbound connections from web server post-exploitation
SIEM Query:
source="web_access.log" AND (uri="/wp-admin/admin-ajax.php" AND (param="action" AND value="*woolentor*" OR param="*template*" AND value="*../*"))🔗 References
- https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/classes/class.ajax_actions.php#L213
- https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/classes/class.ajax_actions.php#L241
- https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/classes/class.ajax_actions.php#L42
- https://plugins.trac.wordpress.org/browser/woolentor-addons/trunk/includes/addons/product-grid/base/class.product-grid-base.php#L378
- https://plugins.trac.wordpress.org/changeset/3388234/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/12bb4bb9-e908-43ad-8fb1-59418580f5e1?source=cve
