A high-severity Local File Inclusion (LFI) vulnerability has been identified in the "Premium Portfolio Features for Phlox theme" plugin for WordPress. This flaw could allow an unauthenticated attacker to read sensitive files from the server, such as configuration files containing database credentials, potentially leading to a full system compromise. Organizations using the affected plugin are at significant risk of data exfiltration and should apply the recommended updates immediately.

The plugin is vulnerable to Local File Inclusion (LFI) due to insufficient input validation on a parameter that handles file paths. An unauthenticated attacker can craft a malicious request, manipulating this parameter with directory traversal sequences (e.g., ../) to access and display the contents of arbitrary files on the server's local filesystem. For example, an attacker could potentially read sensitive files like wp-config.php (containing database credentials) or system files like /etc/passwd.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could lead to significant business impact, including the exfiltration of sensitive data such as customer information, intellectual property, and system credentials. The disclosure of database credentials from the wp-config.php file could allow an attacker to gain direct access to the website's database, leading to a complete compromise of the site's integrity and confidentiality. This could result in reputational damage, regulatory fines, and a loss of customer trust.

Immediate Action:

• Immediately update the "Premium Portfolio Features for Phlox theme" plugin to the latest version provided by the vendor, which addresses this vulnerability.
• If the plugin is not essential for business operations, the most secure course of action is to deactivate and remove it entirely.
• Review WordPress file and directory permissions to ensure the web server user has the minimum necessary access rights.

Proactive Monitoring:

• Monitor web server access logs for requests containing directory traversal patterns (e.g., ../, ..%2f, ..\\) in URL parameters associated with the Phlox theme or its portfolio features.
• Implement a Web Application Firewall (WAF) to detect and block LFI attack attempts in real-time.
• Utilize a file integrity monitoring (FIM) solution to alert on unauthorized access or changes to critical files like wp-config.php.

Compensating Controls:

• If immediate patching is not feasible, deploy a WAF with specific rules to block LFI and directory traversal attacks against the vulnerable plugin endpoints.
• Temporarily disable the plugin until a patch can be applied.
• Harden the underlying server's PHP configuration (e.g., by restricting open_basedir) to limit the directories from which PHP can access files, thus reducing the impact of a successful LFI exploit.

Public Exploit Available: true

Given the high severity (CVSS 8.1) and the availability of public exploit code, it is strongly recommended that all organizations using the affected WordPress plugin apply the necessary updates with the highest priority. This vulnerability presents a clear and immediate risk of sensitive data exposure. Systems should be patched or have compensating controls applied within the next 72 hours to mitigate the risk of compromise.