A high-severity vulnerability has been identified in multiple ThemeMove MaxCoach products, designated as CVE-2025-58206. This flaw allows an attacker to trick the web server into revealing the contents of sensitive files on the system, potentially exposing confidential data such as configuration details, user credentials, and system information. Immediate patching is required to prevent unauthorized access and potential data breaches.

The vulnerability is a Local File Inclusion (LFI) flaw resulting from improper input validation within a PHP include or require function. An unauthenticated remote attacker can manipulate an input parameter, typically a URL parameter, to specify a path to an arbitrary file on the server's local filesystem. When the application processes this malicious request, it includes and executes or displays the contents of the specified file, granting the attacker read access to sensitive files that the web server process can access, such as /etc/passwd or application configuration files containing database credentials.

This vulnerability is rated as High severity with a CVSS score of 8.1. Exploitation could lead to significant business consequences, including the unauthorized disclosure of sensitive corporate or customer data, intellectual property, and system credentials. A successful attack could serve as a foothold for further network penetration, leading to a full system compromise, reputational damage, loss of customer trust, and potential regulatory fines for non-compliance with data protection standards.

Immediate Action: Organizations must apply the security updates provided by the vendor across all affected products without delay. After patching, administrators should review web server access logs for any signs of past or ongoing exploitation attempts.

Proactive Monitoring: Security teams should monitor web server and WAF logs for requests containing directory traversal patterns (e.g., ../, ..%2f) or attempts to access common sensitive files (e.g., wp-config.php, /etc/passwd, .env). Implement file integrity monitoring on critical application files to detect unauthorized changes.

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block Local File Inclusion (LFI) attack patterns.
• Harden the server's PHP configuration by restricting file access with the open_basedir directive to prevent the application from accessing files outside of its intended directories.
• Enforce the principle of least privilege by ensuring the web server process runs with minimal permissions necessary for its operation.

Public Exploit Available: false

Given the high severity (CVSS 8.1) of this vulnerability, immediate action is strongly recommended. Organizations must prioritize the deployment of vendor-supplied patches to all affected ThemeMove MaxCoach products. Although this vulnerability is not yet listed in the CISA KEV catalog, its potential for sensitive data exposure makes it a prime target for opportunistic attackers. Proactive patching and implementation of the recommended monitoring controls are critical to prevent a potential data breach.