A high-severity vulnerability has been identified in multiple RadiusTheme products, specifically within the Testimonial Slider And Showcase Pro plugin. This flaw, a Local File Inclusion (LFI), allows an unauthenticated attacker to trick the application into including and executing unintended files from the server. Successful exploitation could lead to sensitive information disclosure, such as viewing configuration files and system passwords, or potentially a full compromise of the web server.

The vulnerability is a Local File Inclusion (LFI) caused by an Improper Control of Filename for an Include/Require Statement in the PHP code. An attacker can manipulate an input parameter, likely a URL parameter, to include directory traversal sequences (e.g., ../). This forces the PHP include or require function to load and process a file from an arbitrary location on the server's filesystem, granting the attacker access to read sensitive files that are normally not accessible.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could have a significant business impact, including the exposure of sensitive data like database credentials, application source code, and system user information. This data breach could lead to further system compromise, reputational damage, and regulatory fines. The ability to read server files can also facilitate more complex attacks, potentially leading to a complete server takeover and disruption of business operations.

Immediate Action: Apply vendor security updates immediately across all affected installations. After patching, administrators should monitor for any signs of post-patch exploitation attempts and thoroughly review historical access logs for indicators of compromise that may have occurred before the patch was applied.

Proactive Monitoring: Monitor web server access logs for suspicious requests containing directory traversal patterns (../), absolute file paths (e.g., /etc/passwd), or other file inclusion payloads. Implement file integrity monitoring on critical application and system files to detect unauthorized changes. Monitor for unusual PHP error messages which may indicate failed LFI attempts.

Compensating Controls: If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and directory traversal attacks. Harden the PHP environment by disabling allow_url_include and configuring a restrictive open_basedir path to limit the locations from which files can be included. Ensure the web server process runs with the lowest possible user privileges.

Public Exploit Available: false

Given the high CVSS score of 7.5 and the critical risk of information disclosure and server compromise, we strongly recommend that organizations apply the vendor-provided security patches to all affected RadiusTheme products as the highest priority. Although this vulnerability is not currently listed on the CISA KEV list, its nature makes it an attractive target. Proactive monitoring and the implementation of compensating controls, such as a WAF, are advised to provide layered defense and mitigate risk until patching is complete.