A high-severity vulnerability has been identified in the XStore theme for WordPress, which could allow an unauthenticated attacker to read sensitive files from the underlying server. Successful exploitation could lead to the exposure of confidential data, such as database credentials and system configuration files, potentially resulting in a full server compromise. Organizations using the affected theme are strongly advised to apply the recommended updates immediately to mitigate this significant risk.

The vulnerability is a Local File Inclusion (LFI) flaw within the XStore theme. An attacker can exploit this by sending a specially crafted request to the web server, manipulating a parameter to include a path to a local file on the server. Using path traversal techniques (e.g., ../../), the attacker can break out of the intended directory and access sensitive files such as wp-config.php (containing database credentials), /etc/passwd (listing system users), or server logs. This could lead to complete information disclosure and, in some configurations, may be escalated to Remote Code Execution (RCE) if the included file contains malicious code.

This vulnerability is rated as High severity with a CVSS score of 8.8, posing a significant threat to the business. Exploitation can lead to a severe data breach, exposing sensitive company information, customer data, and intellectual property. The compromise of credentials from configuration files could allow an attacker to gain full control over the website's database and potentially the entire server. This could result in operational downtime, financial loss, regulatory fines, and significant reputational damage.

Immediate Action: Immediately update the XStore theme to the latest patched version (greater than version 9.0) on all WordPress instances. After updating, review all WordPress security settings, plugins, and themes; remove any that are no longer necessary to reduce the overall attack surface.

Proactive Monitoring:

• Web Server Logs: Actively monitor web server access logs (e.g., Apache, Nginx) for suspicious requests containing path traversal sequences (../, ..%2f) or attempts to access common sensitive files (wp-config.php, /etc/passwd).
• WAF Logs: Review Web Application Firewall logs for alerts related to "Path Traversal" or "Local File Inclusion" rule violations targeting your websites.
• File Integrity Monitoring (FIM): Use FIM tools to detect unauthorized changes to core WordPress files, theme files, or critical system files on the server.

Compensating Controls:

• Web Application Firewall (WAF): If immediate patching is not possible, implement or configure a WAF with a robust ruleset to detect and block LFI and path traversal attack patterns.
• File Permissions: Harden server file permissions to ensure the web server's user account has the minimum necessary privileges and cannot read sensitive system-level files.
• Disable PHP Execution in Uploads: Ensure that PHP execution is disabled in directories where users can upload files to prevent potential LFI-to-RCE escalation chains.

Public Exploit Available: False

Given the high CVSS score of 8.8 and the critical impact of a successful exploit, this vulnerability requires immediate attention. We strongly recommend that all system administrators identify WordPress instances using the XStore theme and apply the necessary updates without delay. Before and after patching, administrators should scan web server logs for any signs of attempted exploitation. Although not yet on the CISA KEV list, the severity of this vulnerability makes it a prime target for attackers, and it should be treated with the highest priority.