A high-severity vulnerability has been identified in multiple products from Pluginwale Easy, specifically impacting the Easy Pricing Table WP plugin. This flaw, a Local File Inclusion, could allow an unauthenticated attacker to read sensitive files from the underlying server, potentially exposing confidential data such as database credentials and system configuration files. Immediate patching is required to mitigate the risk of data compromise and further system intrusion.

The vulnerability is a Local File Inclusion (LFI) flaw resulting from the improper sanitization of user-supplied input used in a PHP include or require statement. An attacker can exploit this by crafting a malicious request that manipulates a file path parameter. By using directory traversal sequences (e.g., ../), the attacker can trick the application into including and displaying the contents of arbitrary files on the local file system, such as wp-config.php or /etc/passwd, which are outside of the intended web root directory.

This vulnerability is rated as High severity with a CVSS score of 7.5. Successful exploitation could lead to significant business impact, including the exposure of sensitive corporate and customer data, such as database credentials, API keys, and internal system configurations. This data breach could result in regulatory fines, reputational damage, loss of customer trust, and provide an attacker with the necessary information to escalate their privileges and achieve a full compromise of the web server and potentially pivot to other internal network systems.

Immediate Action: Apply the security updates released by Pluginwale Easy across all affected WordPress instances immediately. After patching, review web server access logs and audit logs for any signs of past or ongoing exploitation attempts targeting this vulnerability.

Proactive Monitoring: System administrators should actively monitor web server logs for suspicious requests containing directory traversal patterns (e.g., ../, %2e%2e/) in URL parameters associated with the Easy Pricing Table WP plugin. A Web Application Firewall (WAF) should be configured with rules to detect and block LFI attack signatures. Monitor for unusual file read activities by the web server process.

Compensating Controls: If immediate patching is not feasible, consider the following compensating controls:

• Implement strict WAF rules specifically designed to block LFI and directory traversal attack patterns.
• Temporarily disable the vulnerable Pluginwale Easy Pricing Table WP plugin until it can be safely updated.
• Harden the server's PHP configuration by restricting file system access with settings like open_basedir.

Public Exploit Available: false

Given the high severity (CVSS 7.5) and the potential for sensitive data exposure, it is critical that organizations prioritize the remediation of this vulnerability. Although this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, the risk of exploitation is significant. We strongly recommend applying the vendor-supplied patches immediately to all affected systems to prevent the compromise of web applications and the underlying server infrastructure.