A high-severity Local File Inclusion (LFI) vulnerability has been identified in the LT Unleashed plugin for WordPress. This flaw could allow an unauthenticated attacker to read sensitive files on the server, such as configuration files containing database credentials. Successful exploitation could lead to the exposure of confidential data and potentially a full compromise of the affected website.

The vulnerability is a Local File Inclusion (LFI) flaw resulting from insufficient validation of user-supplied input. An attacker can exploit this by crafting a malicious request that includes directory traversal sequences (e.g., ../). This tricks the application into including and displaying the contents of arbitrary files from the server's local file system, such as wp-config.php or /etc/passwd, which are outside of the intended web root directory.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could lead to significant business harm, including the unauthorized disclosure of sensitive information like database credentials, API keys, and internal system configurations. This exposed data could be leveraged by attackers to escalate their privileges, gain full control over the web server, deface the website, or pivot to other systems within the network, resulting in data breaches, service disruptions, and reputational damage.

Immediate Action: Immediately update the LT Unleashed plugin to the latest version provided by the vendor, which addresses this vulnerability. If the plugin is not critical for business operations, consider deactivating and removing it entirely to eliminate this attack vector.

Proactive Monitoring: Monitor web server access logs for requests containing directory traversal patterns (../, ..%2f) or attempts to access known sensitive system files. Implement file integrity monitoring (FIM) to detect unauthorized access or changes to critical configuration files like wp-config.php.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and directory traversal attacks. Additionally, ensure the web server process runs with the principle of least privilege, restricting its file system read permissions to only necessary directories.

Public Exploit Available: false

Given the high severity (CVSS 7.5) of this vulnerability and the potential for complete website compromise, immediate action is required. Organizations using the affected LT Unleashed plugin are strongly advised to apply the vendor's patch without delay. While this CVE is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its critical nature warrants urgent attention to prevent the exposure of sensitive data. If an update cannot be applied, the plugin should be disabled immediately as a temporary mitigating measure.