A high-severity vulnerability has been identified in multiple AncoraThemes Tourimo products, which could allow an unauthenticated attacker to read sensitive files on the web server. Successful exploitation could lead to the disclosure of confidential information, such as database credentials and system configuration files, potentially resulting in a full compromise of the affected website and its underlying server. Organizations are urged to apply the vendor-supplied security update immediately to mitigate this significant risk.

The vulnerability is a Local File Inclusion (LFI) flaw within the AncoraThemes Tourimo products. It exists due to improper validation of user-supplied input that is used as a path in a PHP include or require statement. An unauthenticated remote attacker can exploit this by crafting a malicious request containing directory traversal sequences (e.g., ../../) to navigate the server's file system and include arbitrary local files. This could allow the attacker to read the contents of sensitive files such as wp-config.php (containing database credentials), /etc/passwd, or other application source code and configuration files accessible by the web server's user account.

This vulnerability is rated as High severity with a CVSS score of 8.2. A successful attack could have a severe impact on the business, leading to a significant data breach. By accessing sensitive configuration files, an attacker could steal database credentials, leading to the theft or modification of all website data, including customer information. Furthermore, the information gathered through this vulnerability could facilitate more complex attacks, potentially leading to a full server compromise. This poses a direct risk to data confidentiality and integrity, and could result in reputational damage, regulatory fines, and financial loss.

Immediate Action: Apply the security updates provided by AncoraThemes to all affected products without delay. After patching, it is crucial to monitor web server access logs and security dashboards for any signs of attempted or successful exploitation that may have occurred prior to remediation.

Proactive Monitoring: Security teams should actively monitor web server access logs for requests containing directory traversal patterns (e.g., ../, ..%2f, ..\\) in URL parameters. Implement and monitor alerts from a Web Application Firewall (WAF) for rules that detect and block LFI attempts. Monitor file integrity on the server to detect unauthorized changes or access to critical system files.

Compensating Controls: If immediate patching is not feasible, the following compensating controls should be implemented:

• Deploy a Web Application Firewall (WAF) with a strict ruleset designed to block LFI and directory traversal attacks.
• Harden the server's PHP configuration by ensuring allow_url_include is disabled and configuring open_basedir to restrict file access to only the necessary directories.
• Enforce the principle of least privilege by running the web server with a dedicated, low-privilege user account and applying strict file system permissions.
• If possible, temporarily disable the affected theme or plugin until it can be safely patched.

Public Exploit Available: false

Given the high CVSS score of 8.2 and the potential for complete website compromise, this vulnerability requires immediate attention. Although it is not currently listed on the CISA KEV catalog, its nature as a file inclusion flaw makes it a critical risk. We strongly recommend that organizations identify all instances of the affected AncoraThemes products and apply the vendor-provided security patches immediately. If patching is delayed, implement the recommended compensating controls, particularly a Web Application Firewall, to reduce the risk of exploitation.