A high-severity vulnerability has been identified in multiple AncoraThemes Sanger products. This flaw, known as a Local File Inclusion, could allow an unauthenticated attacker to trick the application into accessing and reading sensitive files on the web server, potentially exposing confidential data, user credentials, and system configuration details. Immediate patching is required to mitigate the risk of a data breach.

This vulnerability is a Local File Inclusion (LFI) flaw that stems from the improper validation of user-supplied input. The application uses a parameter within a PHP include or require statement without sufficiently sanitizing the filename. An unauthenticated remote attacker can exploit this by crafting a malicious request containing directory traversal sequences (e.g., ../) to navigate the server's file system and include arbitrary files. Successful exploitation allows the attacker to read the contents of sensitive files within the permissions of the web server's user account, such as configuration files containing database credentials, system user files like /etc/passwd, or the application's source code.

This vulnerability is rated as High severity with a CVSS score of 8.2. Exploitation could lead to significant business impact, including a direct data breach through the exfiltration of sensitive information stored on the server. The exposure of database credentials, API keys, or other secrets could allow an attacker to pivot and gain deeper access to the network infrastructure. Furthermore, a public breach resulting from this vulnerability could cause severe reputational damage, erode customer trust, and potentially lead to regulatory fines for non-compliance with data protection standards.

Immediate Action: The primary remediation is to apply the security updates provided by the vendor immediately across all affected products. After patching, it is critical to review web server access logs for any signs of past or ongoing exploitation attempts.

Proactive Monitoring: Security teams should actively monitor web server logs for requests containing directory traversal patterns (e.g., ../, ..\/, %2e%2e%2f) in URL parameters. Implement alerts for attempts to access common sensitive files such as wp-config.php, .env, or /etc/passwd. File Integrity Monitoring (FIM) should be used to detect unauthorized changes to critical system or application files.

Compensating Controls: If immediate patching is not feasible, implement the following controls to reduce risk:

• Web Application Firewall (WAF): Deploy a WAF with rulesets designed to block LFI and directory traversal attack patterns.
• PHP Hardening: Ensure the open_basedir directive in the php.ini configuration is set to strictly limit the directories from which PHP can access files.
• Principle of Least Privilege: Verify that the web server process is running with the minimum permissions necessary and cannot read files outside of the web root directory.

Public Exploit Available: false

Given the high-severity CVSS score of 8.2 and the potential for sensitive data exposure, it is strongly recommended that organizations prioritize the immediate application of vendor-supplied patches. While this vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog, its critical nature warrants urgent attention. If patching is delayed for any reason, the compensating controls outlined above, particularly the use of a Web Application Firewall, should be implemented immediately to mitigate risk.