A high-severity vulnerability has been identified in the Elegance Menu plugin for WordPress, which could allow an unauthenticated attacker to access sensitive files on the web server. Successful exploitation could lead to the exposure of confidential information, such as database credentials and system configuration files, potentially enabling further compromise of the entire website and underlying server.

The vulnerability is a Local File Inclusion (LFI). An attacker can exploit this by manipulating an input parameter used by the plugin to force the application to include and execute or display the contents of arbitrary files on the server. For example, an attacker could craft a specific web request to read sensitive files like wp-config.php (containing database credentials) or system files like /etc/passwd.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could lead to significant business consequences, including the unauthorized disclosure of sensitive company data, customer information, or intellectual property. The theft of database credentials could result in a complete database compromise, leading to severe reputational damage, regulatory fines, and a loss of customer trust. The exposed information could also be used by attackers to escalate privileges and gain further control over the organization's infrastructure.

Immediate Action: Immediately update the Elegance Menu plugin to the latest version provided by the developer, which addresses this vulnerability. If the plugin is no longer required for business operations, it should be deactivated and completely removed from the WordPress installation to eliminate this attack vector.

Proactive Monitoring: Review web server access logs for suspicious requests targeting the Elegance Menu plugin. Specifically, search for directory traversal patterns (e.g., ../, ..%2f) in URL query strings. Monitor for unusual read attempts on sensitive system and configuration files by the web server user account.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and directory traversal attempts. Additionally, ensure server file permissions are hardened to restrict the web server process from accessing files outside of its intended directory root.

Public Exploit Available: false

Given the High severity (CVSS 7.5) and the potential for complete sensitive data exposure, it is strongly recommended that organizations prioritize the immediate remediation of this vulnerability. All WordPress sites using the Elegance Menu plugin should be patched or have the plugin removed without delay. Although this CVE is not currently on the CISA KEV list, the ease of exploitation and high impact warrant urgent attention to prevent potential compromise.