A critical vulnerability has been identified in the jwsthemes OchaHouse theme, assigned CVE-2025-12550 with a CVSS score of 9.8. This flaw allows an attacker to include and execute local files on the server, potentially leading to sensitive information disclosure, arbitrary code execution, and a complete compromise of the affected web server. Immediate patching is required to mitigate the significant risk of a security breach.

The vulnerability is a Local File Inclusion (LFI) flaw resulting from improper input validation. The application uses user-supplied data within a PHP include or require statement without properly sanitizing it. An unauthenticated remote attacker can exploit this by crafting a malicious request that manipulates the filename parameter to include arbitrary local files from the server's filesystem, such as configuration files containing credentials, system user information, or application source code.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could lead to a complete compromise of the web server hosting the OchaHouse theme. The potential consequences include theft of sensitive data (e.g., customer information, database credentials), service disruption, reputational damage, and significant financial loss. An attacker could also leverage the compromised server to pivot and launch further attacks against the internal network, escalating the incident's impact.

Immediate Action: Update the jwsthemes OchaHouse theme to the latest version available from the vendor (a version later than 2.2.8). After patching, it is crucial to monitor for exploitation attempts and review historical web server access logs for any signs of compromise that may have occurred before the patch was applied.

Proactive Monitoring: Security teams should actively monitor web server logs for requests containing path traversal sequences (e.g., ../, ..\/) or attempts to access common sensitive files like /etc/passwd, wp-config.php, or server log files. Monitor for any unusual or unexpected PHP processes being executed by the web server user, as this could indicate successful code execution.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and path traversal attacks. Additionally, harden the server's file permissions to restrict the web server user's access to sensitive files and directories outside of the web root. Ensure PHP configurations are hardened, for example, by disabling allow_url_include.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) and the high potential for complete system compromise, organizations must treat this vulnerability with the highest priority. The jwsthemes OchaHouse theme should be patched immediately across all affected systems. Although this vulnerability is not currently listed on the CISA KEV list, its critical nature warrants an emergency change and deployment. After patching, organizations should proactively hunt for evidence of compromise by analyzing historical logs for indicators of LFI attacks.