A high-severity vulnerability has been identified in multiple AncoraThemes products, which could allow an unauthenticated attacker to access and execute arbitrary files on the web server. Successful exploitation could lead to the exposure of sensitive information, such as configuration files and user credentials, or a complete compromise of the affected system.

This vulnerability is a Local File Inclusion (LFI) flaw existing within the Pathfinder component used by multiple AncoraThemes products. The application fails to properly sanitize user-supplied input that is used to construct a file path for an include or require statement in PHP. An unauthenticated remote attacker can exploit this by crafting a malicious request containing directory traversal sequences (e.g., ../) to navigate the server's file system and include arbitrary local files. A successful LFI attack could allow the attacker to read sensitive files, such as /etc/passwd or application configuration files containing database credentials, and in some server configurations, may lead to remote code execution (RCE) by including poisoned log files or uploaded files containing PHP code.

This vulnerability presents a significant risk to the organization, rated as High severity with a CVSS score of 8.2. Exploitation can directly lead to a data breach through the unauthorized disclosure of sensitive company and customer data. If an attacker achieves remote code execution, they can gain complete control over the web server, enabling them to install malware, deface the website, pivot to other internal network systems, or disrupt business operations entirely. The potential consequences include severe reputational damage, financial loss from remediation and regulatory fines, and a loss of customer trust.

Immediate Action: The primary and most effective remediation is to apply the security updates provided by AncoraThemes to all affected products immediately. After patching, it is crucial to review web server access logs and system logs for any signs of past or ongoing exploitation attempts.

Proactive Monitoring: Organizations should actively monitor web server logs for suspicious requests containing directory traversal patterns (e.g., ../, ..%2f, %2e%2e/) in URL parameters. Implement a File Integrity Monitoring (FIM) solution to detect unauthorized changes to web application files. Monitor for unusual outbound network traffic from the web server, which could indicate a successful compromise and data exfiltration.

Compensating Controls: If immediate patching is not feasible, implement the following compensating controls to mitigate risk:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and directory traversal attacks.
• Harden PHP configurations by disabling potentially dangerous functions like allow_url_include.
• Enforce the principle of least privilege by ensuring the web server's user account has restrictive file system permissions, preventing it from reading sensitive system files.

Public Exploit Available: false

Given the high severity (CVSS 8.2) of this vulnerability and the potential for complete system compromise, it is strongly recommended that the organization treat this as a critical priority. All instances of affected AncoraThemes products must be identified and patched immediately. Although this CVE is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its status could change without warning. If patching is delayed for any reason, the compensating controls outlined above, particularly the use of a WAF, should be implemented as an urgent temporary measure.