Description
The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.2.5 via the 'load_template' function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Published: 2025-11-04
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Server‑side code execution via unauthenticated local file inclusion
Action: Immediate Patch
AI Analysis

Impact

ShopLentor allows an unauthenticated attacker to invoke the load_template function with a user supplied file path, resulting in the inclusion and execution of arbitrary local PHP files on the WordPress host. This flaw can be used to bypass access controls, read sensitive data, or run malicious code with the privileges of the web application, effectively giving the attacker full control over the affected server.

Affected Systems

The vulnerability affects the devitemsllc ShopLentor All‑in‑One WooCommerce Growth & Store Enhancement Plugin, specifically all releases up to and including version 3.2.5. Users of earlier releases should verify the installed version against the product’s changelog for fixes.

Risk and Exploitability

With a CVSS score of 9.8 the flaw is considered a critical remote‑execution risk. The EPSS score of <1% indicates a low overall exploitation probability at this time, and the vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is a simple HTTP request to the plugin’s load_template endpoint, which does not require authentication.

Generated by OpenCVE AI on April 22, 2026 at 16:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade ShopLentor to a version newer than 3.2.5 if one is available. The vendor’s release notes indicate that subsequent releases patch the local file inclusion flaw.
  • If an immediate upgrade is not feasible, disable or remove the load_template functionality by deactivating the plugin or manually editing the plugin code to block the inclusion of arbitrary files.
  • Configure the web server or a web application firewall to block unauthenticated requests to the load_template endpoint and to prevent execution of PHP files in plugin directories.

Generated by OpenCVE AI on April 22, 2026 at 16:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 26 Nov 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Hasthemes
Hasthemes shoplentor
CPEs cpe:2.3:a:hasthemes:shoplentor:*:*:*:*:*:wordpress:*:*
Vendors & Products Hasthemes
Hasthemes shoplentor

Tue, 04 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 04 Nov 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Tue, 04 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
Description The ShopLentor – WooCommerce Builder for Elementor & Gutenberg +21 Modules – All in One Solution (formerly WooLentor) plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 3.2.5 via the 'load_template' function. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Title ShopLentor <= 3.2.5 - Unauthenticated Local PHP File Inclusion via 'load_template'
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Hasthemes Shoplentor
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:36:30.320Z

Reserved: 2025-10-29T20:10:08.366Z

Link: CVE-2025-12493

cve-icon Vulnrichment

Updated: 2025-11-04T19:38:46.952Z

cve-icon NVD

Status : Analyzed

Published: 2025-11-04T12:15:36.957

Modified: 2025-11-26T14:41:39.887

Link: CVE-2025-12493

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:45:21Z

Weaknesses