A high-severity vulnerability has been identified in multiple octagonwebstudio products, specifically the Premium Addons for KingComposer. This flaw, a Local File Inclusion, could allow an unauthenticated attacker to read sensitive files from the underlying server. Successful exploitation could lead to the exposure of confidential data, system credentials, and other critical information, potentially enabling further system compromise.

The vulnerability is classified as an Improper Control of a Filename for an Include/Require Statement in a PHP Program. The application fails to properly sanitize user-supplied input that is used as a filename in a PHP include or require statement. An attacker can exploit this by crafting a malicious request containing directory traversal characters (e.g., ../) to navigate the server's file system and include arbitrary files. This allows the attacker to read the contents of sensitive files, such as configuration files containing database credentials (wp-config.php), system user files (/etc/passwd), or application source code.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation can have a significant negative impact on the business, leading to the compromise of sensitive data. Key risks include the disclosure of customer information, intellectual property, or internal credentials, which could result in regulatory fines, financial loss, and severe reputational damage. Furthermore, the information gathered through this vulnerability could serve as a foothold for attackers to launch more sophisticated attacks, potentially leading to a full system compromise.

Immediate Action:

• Patch Immediately: Apply the security updates provided by the vendor, octagonwebstudio, across all affected systems without delay. This is the most effective method to remediate the vulnerability.
• Monitor and Review: Actively monitor for signs of exploitation. Review web server access logs and application logs for requests containing directory traversal patterns or suspicious file access attempts targeting the affected components.

Proactive Monitoring:

• Log Analysis: Scrutinize web server logs for GET or POST requests containing payloads like ../, ..%2f, or other variations of directory traversal sequences in URL parameters.
• File Integrity Monitoring (FIM): Use FIM tools to detect unauthorized changes to critical system files or the creation of unexpected files in web-accessible directories.
• Egress Traffic Filtering: Monitor outbound network traffic from the web server for unusual connections, which could indicate data exfiltration or a successful compromise.

Compensating Controls:

• Web Application Firewall (WAF): If immediate patching is not feasible, implement or update WAF rules to detect and block LFI attack patterns and directory traversal attempts.
• PHP Hardening: Ensure the PHP configuration restricts file access by properly configuring the open_basedir directive to limit the files that can be accessed by PHP scripts.
• Principle of Least Privilege: Verify that the web server process is running with the minimum permissions necessary, limiting the scope of files an attacker can access if the vulnerability is exploited.

Public Exploit Available: False

Given the high CVSS score of 8.1 and the direct risk of sensitive data exposure, it is imperative that organizations treat this vulnerability as a high priority. We strongly recommend applying the vendor-supplied patch to all affected systems immediately. While this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity warrants urgent action. Proactive monitoring should be implemented to detect any potential exploitation attempts that may have occurred prior to patching.