EXECUTIVE SUMMARY:
A critical Local File Inclusion vulnerability CVE-2025-12493 in the ShopLentor plugin allows unauthenticated attackers to force the WordPress PHP runtime to include and execute attacker supplied .php files, resulting in remote code execution and potential full site compromise on sites running affected plugin versions. E-commerce sites using this plugin face urgent risk: operators should upgrade the plugin to the latest version immediately, or if immediate patching isnt possible, deactivate the plugin or apply WAF or server rules to block requests that abuse load_template or template parameters; additionally, audit logs for suspicious requests and check for signs of uploaded or placed PHP files that could be executed. The vulnerability has a CVSS score of 9.8.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details: