A high-severity vulnerability has been identified in the "Extensive VC Addons for WPBakery" WordPress plugin. This flaw allows an attacker to access and read sensitive files directly from the web server, potentially exposing confidential information such as database credentials, system configuration files, and user data. Exploitation of this vulnerability could lead to a full system compromise.

The vulnerability is a Local File Inclusion (LFI). This occurs because the plugin fails to properly sanitize user-supplied input that is used to construct file paths for inclusion. An unauthenticated attacker can craft a special request containing directory traversal sequences (e.g., ../) to navigate the server's file system and include arbitrary files, which are then displayed to the attacker. For example, an attacker could potentially read the contents of sensitive files like wp-config.php to steal database credentials or /etc/passwd to enumerate system users.

This vulnerability is rated as High severity with a CVSS score of 8.1. Successful exploitation could lead to a significant data breach, exposing sensitive company data, customer information, and intellectual property. The theft of credentials from configuration files could allow an attacker to gain deeper access to the organization's infrastructure, including databases and other connected systems. The potential consequences include severe reputational damage, financial loss, regulatory penalties, and the cost associated with incident response and recovery.

Immediate Action:

• Identify all WordPress instances using the "Extensive VC Addons for WPBakery" plugin.
• Immediately update the plugin to the latest version provided by the vendor, which contains a patch for this vulnerability.
• If the plugin is not essential for business operations, the recommended course of action is to deactivate and completely remove it to eliminate this attack vector.

Proactive Monitoring:

• Monitor web server access logs for requests targeting the affected plugin's endpoints that contain directory traversal patterns such as ../, ..%2f, or other variants.
• Implement and monitor a Web Application Firewall (WAF) to detect and block LFI attack attempts against the web application.
• Utilize a file integrity monitoring (FIM) solution to alert on unauthorized access or changes to critical system files like wp-config.php.

Compensating Controls:

• If immediate patching is not feasible, deploy a WAF with a specific ruleset to block directory traversal and LFI attacks.
• Temporarily disable the affected plugin until it can be patched or safely removed.
• Ensure the web server process runs with the lowest possible privileges and is restricted from accessing sensitive files and directories outside of the web root.

Public Exploit Available: true

Given the high severity score (CVSS 8.1) and the public availability of exploit code, this vulnerability poses a significant and immediate risk to the organization. We strongly recommend that all system administrators prioritize the immediate patching or removal of the affected "Extensive VC Addons for WPBakery" plugin across all WordPress installations. Due to the high probability of active scanning and exploitation, this remediation effort should be treated as a critical priority.