A high-severity Local File Inclusion (LFI) vulnerability in the ApusWP Kossy WordPress Theme allows an unauthenticated attacker to read sensitive files from the server, leading to significant information disclosure.

An unauthenticated attacker can exploit an Improper Control of Filename for Include/Require Statement vulnerability. This flaw allows the attacker to manipulate file paths to include and display the contents of arbitrary local files from the web server's filesystem.

A successful exploit could lead to the exposure of sensitive configuration files, such as database credentials, user data, or application source code. This information disclosure can facilitate further attacks, potentially leading to a full system compromise. The High severity CVSS score of 8.1 reflects the significant risk of data breaches and unauthorized access posed by this vulnerability.

Immediate Action: Administrators must update the ApusWP Kossy theme to the latest patched version provided by the vendor immediately. If the theme is no longer in use, it should be completely removed.

Proactive Monitoring: Review web server and application logs for suspicious requests containing directory traversal patterns (e.g., ../) or attempts to access sensitive system files like wp-config.php.

Compensating Controls: Implement and configure a Web Application Firewall (WAF) with rules designed to detect and block Local File Inclusion attack signatures as a virtual patch.

Public Exploit Available: false

This vulnerability presents a significant risk to affected WordPress sites and must be addressed with urgency. Given the potential for complete information disclosure from an unauthenticated position, immediate patching is the most effective mitigation. We strongly recommend applying the vendor-supplied update without delay to prevent potential compromise.