A high-severity vulnerability has been identified in multiple AncoraThemes products, designated as CVE-2025-58888. This flaw allows an attacker to trick the web application into including and executing unintended files from the local server, which could lead to sensitive information disclosure or complete system compromise. Organizations using the affected software are at significant risk and should apply vendor-supplied patches immediately.

The vulnerability is a Local File Inclusion (LFI) flaw resulting from an improper control of filenames used in PHP's include or require statements. An unauthenticated remote attacker can exploit this by manipulating an input parameter to specify a path to a file on the server's local filesystem. When the application processes this malicious input, it includes the specified file, potentially exposing its contents or, if the file contains executable PHP code, running it with the permissions of the web server process.

This vulnerability is rated as High severity with a CVSS score of 8.2. Successful exploitation could have a severe impact on the business. An attacker could read sensitive configuration files containing database credentials, API keys, or other secrets, leading to a major data breach. Furthermore, if an attacker can write a file to the server (e.g., via another vulnerability or a file upload feature) and then include it using this LFI flaw, they can achieve Remote Code Execution (RCE), granting them full control over the affected server. This could result in service disruption, reputational damage, financial loss, and compromise of the wider network environment.

Immediate Action: Apply the security updates provided by AncoraThemes to all affected products immediately. After patching, it is critical to monitor for any signs of post-patch exploitation attempts and thoroughly review historical access logs for indicators of compromise that may have occurred before the patch was applied.

Proactive Monitoring: Security teams should actively monitor web server access logs for suspicious requests. Look for patterns indicative of LFI attacks, such as directory traversal sequences (../, ..%2f, ..\\), references to common sensitive files (e.g., /etc/passwd, wp-config.php, web.config), and unusual file paths in request parameters. Monitor system behavior for unexpected processes being spawned by the web server user (e.g., www-data, apache).

Compensating Controls: If immediate patching is not feasible, implement the following controls to mitigate risk:

• Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and directory traversal attack patterns.
• Harden the server's PHP configuration by ensuring allow_url_fopen and allow_url_include are disabled to prevent remote file inclusion variants.
• Enforce strict file system permissions to limit the web server process's ability to read sensitive files outside of the web root directory.

Public Exploit Available: false

Given the high CVSS score of 8.2 and the potential for complete system compromise, this vulnerability poses a significant risk to the organization. We strongly recommend that all system owners identify and patch affected AncoraThemes products with the utmost urgency. While this vulnerability is not yet on the CISA KEV list, its severity and the ease of exploitation make it a prime target for future attacks. Prioritize patching and implement the recommended monitoring and compensating controls to defend against potential compromise.