A high-severity vulnerability has been discovered in multiple products by ThemeAtelier, including IDonatePro. This flaw allows an attacker to trick the application into accessing and potentially executing files on the server that it should not be able to access. Successful exploitation could lead to the theft of sensitive information, such as configuration details and user data, or a complete compromise of the affected server.

The vulnerability is a Local File Inclusion (LFI) flaw. It exists because the application does not properly validate user-supplied input before using it in a PHP include or require statement. An unauthenticated remote attacker can craft a special request containing directory traversal sequences (../) to specify a path to a file on the server. The vulnerable application will then include this file, allowing the attacker to either view its contents (e.g., configuration files, system files like /etc/passwd) or, if the included file contains PHP code, execute it in the context of the web server.

This vulnerability is rated as High severity with a CVSS score of 8.1, posing a significant risk to the organization. Exploitation can lead to a severe data breach, as attackers can read sensitive files containing database credentials, API keys, and other confidential information. If an attacker can combine this LFI vulnerability with a file upload capability, it could be escalated to full Remote Code Execution (RCE), giving them complete control over the server. This could result in service disruption, reputational damage, and financial loss from recovery efforts and potential regulatory fines.

Immediate Action: Apply vendor security updates immediately across all affected ThemeAtelier products. After patching, monitor systems for any signs of exploitation attempts by reviewing web server access logs for requests matching LFI patterns.

Proactive Monitoring: Security teams should actively monitor web server logs for suspicious requests containing directory traversal characters (../), absolute file paths, or attempts to access common sensitive files (e.g., wp-config.php, /etc/passwd, .env). Intrusion Detection Systems (IDS) should be configured with rules to detect and alert on LFI attack signatures. Monitor for unusual outbound network connections from the web server, which could indicate a successful compromise.

Compensating Controls: If patching is not immediately possible, implement the following controls:

• Deploy a Web Application Firewall (WAF) with a strict ruleset designed to block directory traversal and file inclusion attacks.
• Harden PHP configurations by disabling allow_url_include and using the open_basedir directive to restrict the file paths PHP can access.
• Enforce the principle of least privilege by ensuring the web server process runs with minimal permissions and cannot read sensitive files outside of the web root.

Public Exploit Available: false

Given the high CVSS score of 8.1, organizations are urged to treat this vulnerability with high priority. It is strongly recommended to apply the vendor-provided security updates immediately to prevent potential exploitation. While this vulnerability is not currently listed on the CISA KEV catalog, its severity and the potential for complete system compromise warrant immediate attention. If patching cannot be performed right away, implement the recommended compensating controls and increase monitoring until the permanent fix can be applied.