A high-severity vulnerability has been identified in the WebCodingPlace Responsive Posts Carousel WordPress plugin, which could allow an unauthenticated attacker to read sensitive files from the underlying server. Successful exploitation could lead to the exposure of confidential data, such as website credentials and user information, potentially resulting in a full compromise of the affected website. Organizations are urged to apply the recommended updates immediately to mitigate this risk.

The vulnerability is a Local File Inclusion (LFI) flaw. It exists because the Responsive Posts Carousel plugin does not properly validate or sanitize user-supplied input that is used to construct a file path for a PHP include or require statement. An unauthenticated remote attacker can exploit this by crafting a malicious request with directory traversal sequences (e.g., ../) to navigate the server's file system and include arbitrary files. This could allow the attacker to read the contents of sensitive files, such as wp-config.php (containing database credentials), /etc/passwd, or other configuration and system files accessible by the web server process.

This vulnerability is rated as High severity with a CVSS score of 7.5. Exploitation could lead to significant business consequences, including a data breach through the theft of sensitive information stored on the server. An attacker could leverage exposed credentials to gain further access to the website's database or administrative backend, leading to a complete system compromise. The potential for website defacement, operational disruption, and reputational damage is high, which could result in a loss of customer trust and financial costs associated with incident response and recovery.

Immediate Action:

• Identify all WordPress instances using the "WebCodingPlace Responsive Posts Carousel" plugin.
• Update the plugin to the latest patched version immediately, as recommended by the vendor.
• If the plugin is not essential for business operations, the most secure course of action is to disable and completely remove it to eliminate the attack surface.

Proactive Monitoring:

• Review web server access logs for requests containing directory traversal patterns (e.g., ../, %2e%2e/) in parameters associated with the vulnerable plugin.
• Implement File Integrity Monitoring (FIM) to alert on unauthorized changes to core WordPress files or the appearance of unexpected files in web-accessible directories.
• Monitor for unusual outbound network traffic from the web server, which could indicate a successful compromise and data exfiltration.

Compensating Controls:

• If immediate patching is not feasible, deploy a Web Application Firewall (WAF) with rulesets designed to detect and block LFI and directory traversal attacks.
• Harden the web server's file system permissions to ensure the web server process has read access only to the files it absolutely requires.
• Ensure PHP configurations are hardened, for example, by disabling allow_url_include to prevent potential escalation to Remote File Inclusion.

Public Exploit Available: false

Given the High severity (CVSS 7.5) of this vulnerability and its potential to lead to a full system compromise, it is strongly recommended that organizations take immediate action. All instances of the "WebCodingPlace Responsive Posts Carousel" plugin must be updated to the latest version without delay. Although this CVE is not currently on the CISA KEV list, the ease of exploitation for LFI flaws makes it a prime target for opportunistic attackers. Patching should be the primary response; if this is not possible, the compensating controls listed above must be implemented as a temporary measure while a permanent remediation plan is executed.