A critical vulnerability has been identified in the ThemeMove Brook WordPress theme, posing a severe risk to affected websites. This flaw, rated 9.8 out of 10, allows an unauthenticated remote attacker to include and execute arbitrary code on the web server, potentially leading to a complete system compromise, data theft, and website defacement. Organizations using the affected theme must take immediate action to prevent exploitation.

This vulnerability is an Improper Control of Filename for an Include/Require Statement, commonly known as a PHP File Inclusion. The application fails to properly sanitize user-supplied input that is used as a path in a PHP include or require statement. A remote, unauthenticated attacker can exploit this by crafting a special request that tricks the application into including a malicious file, either from a remote server (Remote File Inclusion - RFI) or from the local server's filesystem (Local File Inclusion - LFI). Successful exploitation results in the execution of the attacker's code with the permissions of the web server process, leading to Remote Code Execution (RCE).

With a critical severity rating and a CVSS score of 9.8, this vulnerability represents a significant threat to the business. A successful attack could lead to a complete compromise of the web server, resulting in the theft of sensitive data such as customer information, payment details, and intellectual property. Further consequences include website defacement, service disruption, deployment of ransomware or other malware, and the use of the compromised server as a pivot point to attack other internal systems. Such an incident can cause severe reputational damage, financial loss, and regulatory penalties.

Immediate Action: Update the ThemeMove Brook - Agency Business Creative theme to the latest version available from the vendor, which should be a version greater than 2.8.9. After updating, monitor for any signs of exploitation by reviewing web server access logs and application logs for unusual requests or errors.

Proactive Monitoring: Security teams should actively monitor web server access logs for requests containing suspicious patterns in URL parameters, such as "http://", "https://", "ftp://", or directory traversal sequences like "../". Monitor for unexpected outbound network connections from the web server, which could indicate a successful RFI attack. Additionally, use file integrity monitoring to detect the creation or modification of unauthorized files in the web directory.

Compensating Controls: If immediate patching is not feasible, implement the following controls:

• Utilize a Web Application Firewall (WAF) with rules specifically designed to detect and block File Inclusion attack patterns.
• Modify the server's PHP configuration (php.ini) to disable remote file inclusion by setting allow_url_include and allow_url_fopen to Off. Note: This will mitigate RFI but not LFI attacks.
• Enforce strict file permissions on the web server to limit the web process's ability to read sensitive files or write to unauthorized directories.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the potential for a complete system compromise by an unauthenticated attacker, it is imperative that organizations patch this vulnerability immediately. All instances of the ThemeMove Brook theme must be identified and updated to a secure version without delay. Although this CVE is not currently listed on the CISA KEV list, its high severity makes it a prime candidate for future inclusion. Prioritize this remediation activity above all other non-critical patching efforts.