Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Towny towny allow...
Description
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Towny towny allows PHP Local File Inclusion
AI Analyst Comment
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
Executive Summary:
A high-severity vulnerability has been identified in multiple axiomthemes Towny products, carrying a CVSS score of 8.2. This flaw allows an attacker to trick the web application into revealing the contents of sensitive files on the server. Successful exploitation could lead to the theft of confidential data, such as configuration details and user credentials, potentially enabling further unauthorized access to the system.
Vulnerability Details
CVE-ID: CVE-2025-58889
Affected Software: axiomthemes Towny Multiple Products
Affected Versions: See vendor advisory for specific affected versions
Vulnerability: The vulnerability is a Local File Inclusion (LFI) flaw resulting from the improper sanitization of user-supplied input used in PHP
includeorrequirestatements. An unauthenticated remote attacker can manipulate input parameters, typically in the URL, to include path traversal sequences (e.g.,../). This forces the application to load and display the contents of arbitrary files from the server's local filesystem, limited only by the web server's file permissions. An attacker could exploit this to read sensitive files like/etc/passwd, application source code, or configuration files containing database credentials.Business Impact
This vulnerability is classified as High severity with a CVSS score of 8.2. Exploitation could lead to a significant data breach, exposing sensitive corporate or customer information stored on the server. The potential consequences include theft of intellectual property, exposure of user credentials, and compromise of system secrets like API keys and database passwords. This could result in direct financial loss, severe reputational damage, regulatory fines, and provide a foothold for attackers to launch more extensive attacks against the organization's infrastructure.
Remediation Plan
Immediate Action: Immediately apply the security updates provided by the vendor across all affected axiomthemes products. After patching, review web server access logs for any signs of past or ongoing exploitation attempts.
Proactive Monitoring: Security teams should actively monitor web server logs for suspicious requests containing path traversal characters (e.g.,
../,..\,%2e%2e%2f) in URL parameters. Set up alerts for attempts to access common sensitive files such aswp-config.php,.env, or system files like/etc/passwd. Monitor for unusual outbound traffic, which could indicate data exfiltration.Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and path traversal attack patterns. Additionally, harden the server environment by enforcing strict file permissions to limit the files the web server process can access and configure PHP's
open_basedirdirective to restrict file access to specific directories.Exploitation Status
Public Exploit Available: false
Analyst Notes: As of December 19, 2025, there are no known public exploits or active exploitation campaigns targeting this vulnerability. However, LFI vulnerabilities are well-understood and relatively easy to exploit. It is highly probable that proof-of-concept code will become publicly available shortly, which will significantly increase the likelihood of opportunistic and targeted attacks.
Analyst Recommendation
Given the high severity (CVSS 8.2) of this vulnerability and its potential for exposing sensitive data, we strongly recommend that organizations identify all instances of the affected axiomthemes products and apply the vendor-supplied patches as a top priority. Although this vulnerability is not currently listed on the CISA KEV list, its critical nature warrants immediate attention to prevent potential system compromise and data breaches. Proactive patching is the most effective defense against future exploitation.