A high-severity vulnerability has been identified in multiple AncoraThemes Festy products, which could allow an attacker to read sensitive files from the underlying server. Successful exploitation could lead to the exposure of confidential data, system credentials, and potentially allow for further unauthorized access to the web server. Organizations using the affected software are at significant risk of a data breach and should apply security updates immediately.

The vulnerability is a Local File Inclusion (LFI) flaw resulting from an improper control of filenames used in PHP's include or require statements. An unauthenticated remote attacker can exploit this by manipulating input parameters, typically in a URL, to include and display the contents of arbitrary files on the server's local filesystem. For example, an attacker could craft a request to read sensitive configuration files (e.g., wp-config.php), system user files (e.g., /etc/passwd), or application source code, thereby gaining critical information for further attacks.

This vulnerability is rated as High severity with a CVSS score of 8.2. Exploitation could have a severe impact on the business, leading directly to a data breach. An attacker could steal sensitive customer information, database credentials, API keys, and other proprietary data stored on the server. This exposure could result in significant financial loss, reputational damage, regulatory fines, and a loss of customer trust. If the attacker can leverage the LFI to achieve code execution (e.g., by including a previously uploaded file or poisoning a log file), they could gain complete control of the affected web server.

Immediate Action: Apply the security updates provided by the vendor across all affected products immediately to patch the vulnerability. After patching, review web server access logs and system logs for any signs of past or ongoing exploitation attempts.

Proactive Monitoring: System administrators should actively monitor web server access logs for suspicious requests containing directory traversal patterns (e.g., ../, %2e%2e/) or attempts to access common sensitive files (e.g., wp-config.php, /etc/passwd, .env). Implement and configure a Web Application Firewall (WAF) to detect and block LFI attack patterns in real-time.

Compensating Controls: If immediate patching is not feasible, the following controls can help mitigate risk:

• Deploy a Web Application Firewall (WAF) with a robust ruleset to block LFI and directory traversal attacks.
• Harden the server's PHP configuration by disabling allow_url_include and properly configuring the open_basedir directive to restrict file access to only necessary directories.
• Enforce the principle of least privilege by ensuring the web server's user account has restrictive file permissions and cannot read sensitive files outside of the web root.

Public Exploit Available: false

Given the high CVSS score of 8.2, this vulnerability presents a significant and immediate risk to the organization. Although it is not currently listed on the CISA KEV list, its potential for sensitive data exposure and server compromise warrants urgent attention. We strongly recommend that all affected AncoraThemes Festy products be patched immediately. If patching is delayed for any reason, the implementation of compensating controls, particularly a Web Application Firewall, should be prioritized to reduce the attack surface and protect critical assets.