A high-severity vulnerability exists in the "Subscribe to Comments for WordPress" plugin, allowing unauthenticated attackers to read sensitive files directly from the web server. Successful exploitation could lead to the exposure of confidential data, such as database credentials and system user information, potentially enabling a complete compromise of the affected website and server.

The vulnerability is a Local File Inclusion (LFI). The plugin fails to properly sanitize user-supplied input that is used in a file path. An unauthenticated remote attacker can craft a malicious request, manipulating a parameter to include directory traversal sequences (e.g., ../). This tricks the application into accessing and displaying the contents of arbitrary files on the server's local filesystem, such as wp-config.php (containing database credentials) or /etc/passwd (containing system user lists).

This vulnerability is rated as High severity with a CVSS score of 7.2. Exploitation could have a significant negative impact on the business. An attacker could steal sensitive configuration details, leading to a full database compromise, customer data theft, and loss of intellectual property. The public disclosure of such an incident would result in reputational damage, loss of customer trust, and potential regulatory fines. The compromised server could also be used as a pivot point to launch further attacks against the internal network.

Immediate Action: Immediately update the "Subscribe to Comments for WordPress" plugin to the latest patched version to mitigate this vulnerability. If the plugin is no longer in use or essential for business operations, it should be deactivated and completely removed from the WordPress installation to eliminate the associated risk.

Proactive Monitoring: Monitor web server access logs (e.g., Apache, Nginx) for suspicious GET requests containing directory traversal patterns like ../, %2e%2e%2f, or requests attempting to access known sensitive files like wp-config.php or /etc/passwd. Implement File Integrity Monitoring (FIM) to alert on unauthorized access to critical system and application files.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules designed to detect and block LFI and directory traversal attack patterns. Additionally, harden server file permissions to ensure the web server's user account can only read files within the web root and cannot access sensitive system-level files.

Public Exploit Available: true

Given the High severity (CVSS 7.2), the availability of public exploits, and the low complexity of an attack, immediate action is critical. We strongly recommend that all instances of the "Subscribe to Comments for WordPress" plugin be updated to a secure version without delay. Organizations should conduct a comprehensive audit of all WordPress plugins to identify and remediate other outdated components, reducing the overall attack surface. This vulnerability should be treated with high priority, regardless of its absence from the CISA KEV list.