A high-severity vulnerability has been identified in multiple axiomthemes Towny products, carrying a CVSS score of 8.2. This flaw allows an attacker to trick the web application into revealing the contents of sensitive files on the server. Successful exploitation could lead to the theft of confidential data, such as configuration details and user credentials, potentially enabling further unauthorized access to the system.

The vulnerability is a Local File Inclusion (LFI) flaw resulting from the improper sanitization of user-supplied input used in PHP include or require statements. An unauthenticated remote attacker can manipulate input parameters, typically in the URL, to include path traversal sequences (e.g., ../). This forces the application to load and display the contents of arbitrary files from the server's local filesystem, limited only by the web server's file permissions. An attacker could exploit this to read sensitive files like /etc/passwd, application source code, or configuration files containing database credentials.

This vulnerability is classified as High severity with a CVSS score of 8.2. Exploitation could lead to a significant data breach, exposing sensitive corporate or customer information stored on the server. The potential consequences include theft of intellectual property, exposure of user credentials, and compromise of system secrets like API keys and database passwords. This could result in direct financial loss, severe reputational damage, regulatory fines, and provide a foothold for attackers to launch more extensive attacks against the organization's infrastructure.

Immediate Action: Immediately apply the security updates provided by the vendor across all affected axiomthemes products. After patching, review web server access logs for any signs of past or ongoing exploitation attempts.

Proactive Monitoring: Security teams should actively monitor web server logs for suspicious requests containing path traversal characters (e.g., ../, ..\, %2e%2e%2f) in URL parameters. Set up alerts for attempts to access common sensitive files such as wp-config.php, .env, or system files like /etc/passwd. Monitor for unusual outbound traffic, which could indicate data exfiltration.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) with rules specifically designed to detect and block LFI and path traversal attack patterns. Additionally, harden the server environment by enforcing strict file permissions to limit the files the web server process can access and configure PHP's open_basedir directive to restrict file access to specific directories.

Public Exploit Available: false

Given the high severity (CVSS 8.2) of this vulnerability and its potential for exposing sensitive data, we strongly recommend that organizations identify all instances of the affected axiomthemes products and apply the vendor-supplied patches as a top priority. Although this vulnerability is not currently listed on the CISA KEV list, its critical nature warrants immediate attention to prevent potential system compromise and data breaches. Proactive patching is the most effective defense against future exploitation.