A critical vulnerability has been identified in the THEMELOGI Navian theme for WordPress, which could allow an unauthenticated remote attacker to take complete control of the affected website. This flaw, rated 9.8 out of 10 in severity, enables an attacker to read sensitive files from the server, potentially leading to data theft, website defacement, or a full system compromise. Immediate patching is required to mitigate this high-risk threat.

The vulnerability is a Local File Inclusion (LFI) flaw within the THEMELOGI Navian theme. The software fails to properly sanitize or validate user-supplied input that is used to construct a file path for PHP's include or require functions. A remote, unauthenticated attacker can exploit this by crafting a malicious request, typically manipulating a URL parameter, to include directory traversal sequences (e.g., ../). This tricks the application into including and executing arbitrary files from the server's local file system, allowing the attacker to read sensitive configuration files (like wp-config.php), system files (like /etc/passwd), or potentially achieve remote code execution if they can control the contents of an included file.

This vulnerability is of critical severity with a CVSS score of 9.8. Successful exploitation could have a devastating business impact. An attacker could exfiltrate sensitive data, including customer information, intellectual property, and database credentials, leading to significant data breaches and regulatory fines. The complete compromise of the web server could result in website defacement, service disruption, and reputational damage. Furthermore, a compromised server can be used as a pivot point to launch further attacks against the internal network, escalating the security incident.

Immediate Action: Update the THEMELOGI Navian theme to the latest version provided by the vendor (a version later than 1.5.4). After patching, monitor web server access logs for any signs of exploitation attempts that may have occurred prior to the update.

Proactive Monitoring: Review web server logs (Apache, Nginx, etc.) for requests containing directory traversal patterns like ../, ..%2f, or absolute file paths in URL parameters. Implement a File Integrity Monitoring (FIM) solution to alert on unauthorized changes to core website files. Monitor for unusual outbound network connections from the web server, which could indicate a successful compromise.

Compensating Controls: If patching cannot be immediately applied, implement the following controls:

• Web Application Firewall (WAF): Deploy a WAF with a robust ruleset to detect and block LFI and directory traversal attack patterns.
• Harden PHP Configuration: Disable potentially dangerous PHP functions in php.ini to limit an attacker's ability to execute code post-exploitation.
• File Permissions: Ensure the web server process runs with the lowest possible privileges and cannot read sensitive files outside of the web root directory.

Public Exploit Available: false

Given the critical severity (CVSS 9.8) of this vulnerability, we recommend immediate action. All organizations using the THEMELOGI Navian theme must prioritize updating to a patched version without delay. If patching is not immediately feasible, the compensating controls, particularly a Web Application Firewall, should be implemented as an urgent temporary measure. Although this CVE is not currently on the CISA KEV list, its high potential for impact means it should be treated with the highest priority to prevent a full compromise of the web server and associated data.