CVE Alert: CVE-2025-12497 – averta – Premium Portfolio Features for Phlox theme
CVE-2025-12497
The Premium Portfolio Features for Phlox theme plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.3.10 via the ‘args[extra_template_path]’ parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
AI Summary Analysis
Risk verdict
High risk: unauthenticated remote Local File Inclusion could lead to arbitrary PHP code execution; patching should be prioritised.
Why this matters
The flaw enables execution of PHP code on the server, bypassing access controls and potentially exfiltrating data or taking control of the site. In practice, an attacker could deploy web shells or pivot within the hosting environment, exposing adjacent services and data.
Most likely attack path
An attacker can trigger the vulnerability via a crafted request to the vulnerable plugin parameter, enabling inclusion of arbitrary local PHP files. No user interaction is required and authentication is not needed, so a wide set of internet-accessible WordPress deployments could be exploited if the plugin is present and within version ≤ 2.3.10.
Who is most exposed
WordPress sites using the Phlox theme with the Premium Portfolio Features plugin (≤ 2.3.10) and internet-facing hosting are at greatest risk, particularly where file upload or dynamic template inclusion is enabled.
Detection ideas
- Look for requests with unusual args[extra_template_path] values or errors from include/require failures.
- Unauthorised PHP file creation or modification under the plugin/theme directories.
- Web shells or suspicious PHP files appearing in uploads or theme folders.
- Anomalous PHP errors logged by the web server or application logs.
- Sudden spikes in outbound traffic or unusual process activity from the web server.
Mitigation and prioritisation
- Apply patch to a supported version (> 2.3.10) or remove/disable the affected plugin until fixed.
- If patching is delayed, implement compensating controls: disable file inclusion features, restrict uploads, and harden PHP include_path.
- Enforce least privilege file permissions and monitor for unexpected PHP file creations.
- Deploy WAF rules to block suspicious include parameters; enforce input validation.
- Change-management: schedule a maintenance window for patching; verify integrity post-deployment.
- If KEV is true or EPSS ≥ 0.5 (data not provided), treat as priority 1.
Support Our Work
A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.
If you like the site, please support us on Patreon or Buy Me A Coffee using the buttons below.
